| 28 Apr 2023 |
 ElvishJerricco | Yea the reason to bind things against the section contents of a UKI would be as a poor man's secure boot | 13:22:58 |
| ElvishJerricco | so if you have actual secure boot and bind to pcr 7, it's not important | 13:23:09 |
| ElvishJerricco | and at that point pcrphase is only serving the purpose of phase control, so that the TPM only unlocks things during the appropriate boot phase | 13:23:36 |
| ElvishJerricco | So I guess you still need something like systemd-measure, except if you don't care about measuring UKI sections you could leave those out and just measure the phase path | 13:27:07 |
| ElvishJerricco | which I don't think is a mode that systemd-measure will do | 13:27:30 |
 baloo | authenticode PE hash thing is just a matter of filtering out the checksum and the signature section from the hash | 17:33:19 |
| baloo | other than that, it's a plain hash of the file. | 17:33:34 |
| baloo | ( https://github.com/m4b/goblin/pull/362/files ) | 17:34:54 |
| 8 May 2023 |
|  pedrohlc changed their profile picture. | 13:33:33 |
| 12 May 2023 |
|  samueldr changed their profile picture. | 02:29:46 |
|  lassulus changed their profile picture. | 10:12:06 |
| lassulus changed their profile picture. | 13:39:13 |
| 14 May 2023 |
|  sympt joined the room. | 07:33:28 |
| 15 May 2023 |
 GenericNerdyUsername | idk if this is more of a question for https://matrix.to/#/#secure-boot:nixos.org, but https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/ says PCR 7 changes when UEFI SecureBoot mode is enabled/disabled, or firmware certificates (PK, KEK, db, dbx, …) are updated. The shim project will measure most of its (non-MOK) certificates and SBAT data into this PCR. | 20:38:49 |
| GenericNerdyUsername | What do I do if I want to update the dbx? | 20:39:15 |
| GenericNerdyUsername | * What do I do if I want to update the dbx, but have a key sealed against PCR7? | 20:40:34 |
| GenericNerdyUsername | * idk if this is more of a question for https://matrix.to/#/#secure-boot:nixos.org, but https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/ says PCR 7 changes when UEFI SecureBoot mode is enabled/disabled, or firmware certificates (PK, KEK, db, dbx, …) are updated. | 20:40:43 |
| GenericNerdyUsername | Or rather, how do I prevent this being a problem in the future? | 20:41:06 |
| GenericNerdyUsername | (Im setting up full disk encryption with the key stored in the tpm) | 20:41:18 |
 Julian Stecklina | As long as you have another key to unlock the volume and reenroll its key, you should be fine | 21:41:09 |
| baloo | https://trustedcomputinggroup.org/wp-content/uploads/TCG_TPM2_r1p59_Part1_Architecture_pub.pdf#page=158 :) | 21:43:28 |
| baloo | just add another layer of crypto | 21:44:26 |
| baloo | now you just need to add support for EA policies to ... everything? | 21:45:46 |
| 25 May 2023 |
|  raitobezarius changed their display name from raitobezarius to disko in NixOS 23.11 when. | 13:32:34 |
| raitobezarius changed their display name from disko in NixOS 23.11 when to raitobezarius. | 13:37:35 |
| 27 May 2023 |
|  NixOS Moderation Botchanged room power levels. | 16:40:45 |
| 1 Jun 2023 |
|  @federicodschonborn:matrix.org joined the room. | 11:58:28 |
| 2 Jun 2023 |
|  ckie (they/them; limited keyboard usage, voice preferred) changed their display name from ckie (they/them; limited keyboard usage, voice preferred) to ckie (they/them). | 22:21:24 |
| 4 Jun 2023 |
|  eliaselias joined the room. | 09:05:47 |
| @federicodschonborn:matrix.org changed their profile picture. | 17:40:15 |
