forked from containers/bootc
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
install: tpm2-luks: Do not bind to any PCRs with cryptenroll
The default binding to PCR7 just causes problems without adding much value in reality. With a generic OS/distribution being installed (i.e. no custom Secure Boot chain) a malicious actor who managers to get access to a disk outside of a machine can usually arrange to boot using the same PCR7 state. The problem it causes is it creates a hard version locking requirement between the host system running `bootc install` and the target OS. A related, but opposite problem in a way is that today we don't update shim by default, except when opted-in via `bootupctl update`; to do so while doing PCR 7 locking will require e.g. bootupd to learn how to re-enroll with new shim's PCR7 state. Signed-off-by: Colin Walters <[email protected]>
- Loading branch information
Showing
4 changed files
with
61 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
[install] | ||
block = ["direct", "tpm2-luks"] |