| 28 Apr 2023 |
ElvishJerricco | Two things to note | 13:18:54 |
ElvishJerricco | raitobezarius: 1) The systemd-pcrphase units are conditional on an efi variable set by systemd-stub. 2) it's overly convoluted; you don't have to use systemd-stub and systemd-measure and all that garbage because you can actually just use the systemd-pcrphase executable and just extend PCR 11 without all the PE section nonsense | 13:21:33 |
raitobezarius | I know about 1) | 13:21:47 |
raitobezarius | I didn't know about 2) | 13:22:03 |
raitobezarius | lanzaboote stub is to become the systemd-stub nextgen :P | 13:22:34 |
raitobezarius | So 1) is not a problem | 13:22:37 |
ElvishJerricco | Yea the reason to bind things against the section contents of a UKI would be as a poor man's secure boot | 13:22:58 |
ElvishJerricco | so if you have actual secure boot and bind to pcr 7, it's not important | 13:23:09 |
ElvishJerricco | and at that point pcrphase is only serving the purpose of phase control, so that the TPM only unlocks things during the appropriate boot phase | 13:23:36 |
ElvishJerricco | So I guess you still need something like systemd-measure, except if you don't care about measuring UKI sections you could leave those out and just measure the phase path | 13:27:07 |
ElvishJerricco | which I don't think is a mode that systemd-measure will do | 13:27:30 |
baloo | authenticode PE hash thing is just a matter of filtering out the checksum and the signature section from the hash | 17:33:19 |
baloo | other than that, it's a plain hash of the file. | 17:33:34 |
baloo | ( https://github.com/m4b/goblin/pull/362/files ) | 17:34:54 |
| 8 May 2023 |
| @pedrohlc:mozilla.org changed their profile picture. | 13:33:33 |
| 12 May 2023 |
| samueldr changed their profile picture. | 02:29:46 |
| lassulus changed their profile picture. | 10:12:06 |
| lassulus changed their profile picture. | 13:39:13 |
| 14 May 2023 |
| sympt joined the room. | 07:33:28 |
| 15 May 2023 |
GenericNerdyUsername | idk if this is more of a question for https://matrix.to/#/#secure-boot:nixos.org, but https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/ says PCR 7 changes when UEFI SecureBoot mode is enabled/disabled, or firmware certificates (PK, KEK, db, dbx, …) are updated. The shim project will measure most of its (non-MOK) certificates and SBAT data into this PCR. | 20:38:49 |
GenericNerdyUsername | What do I do if I want to update the dbx? | 20:39:15 |
GenericNerdyUsername | * What do I do if I want to update the dbx, but have a key sealed against PCR7? | 20:40:34 |
GenericNerdyUsername | * idk if this is more of a question for https://matrix.to/#/#secure-boot:nixos.org, but https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/ says PCR 7 changes when UEFI SecureBoot mode is enabled/disabled, or firmware certificates (PK, KEK, db, dbx, …) are updated. | 20:40:43 |
GenericNerdyUsername | Or rather, how do I prevent this being a problem in the future? | 20:41:06 |
GenericNerdyUsername | (Im setting up full disk encryption with the key stored in the tpm) | 20:41:18 |
Julian Stecklina (Old) | As long as you have another key to unlock the volume and reenroll its key, you should be fine | 21:41:09 |
baloo | https://trustedcomputinggroup.org/wp-content/uploads/TCG_TPM2_r1p59_Part1_Architecture_pub.pdf#page=158 :) | 21:43:28 |
baloo | just add another layer of crypto | 21:44:26 |
baloo | now you just need to add support for EA policies to ... everything? | 21:45:46 |
| 25 May 2023 |
| raitobezarius changed their display name from raitobezarius to disko in NixOS 23.11 when. | 13:32:34 |