| 9 Mar 2023 |
|  Redstone joined the room. | 05:00:39 |
|  pedrohlc changed their profile picture. | 13:30:25 |
| 14 Mar 2023 |
|  mei 🌒& changed their display name from ckie (they/them) to ckie (they/them; heavily limited keyboard usage, dictation or voice only). | 01:10:19 |
| 15 Mar 2023 |
|  cornu joined the room. | 21:14:25 |
| 19 Mar 2023 |
|  quasineutral joined the room. | 11:44:55 |
| 23 Mar 2023 |
| mei 🌒& changed their display name from ckie (they/them; heavily limited keyboard usage, dictation or voice only) to ckie (they/them; limited keyboard usage, voice preferred). | 02:05:13 |
| 2 Apr 2023 |
|  aktaboot left the room. | 17:13:08 |
| 16 Apr 2023 |
|  ian luo joined the room. | 02:27:17 |
| 17 Apr 2023 |
|  GenericNerdyUsername joined the room. | 22:56:18 |
| 28 Apr 2023 |
 raitobezarius | ElvishJerricco: so you have TPM2 unlock with systemd-measure for PCRs? | 13:06:47 |
 ElvishJerricco | raitobezarius: Yea, using https://github.com/DeterminateSystems/bootspec-secureboot/pull/240 | 13:10:49 |
| raitobezarius | alright I might port this to lanzaboote | 13:17:10 |
| ElvishJerricco | Two things to note | 13:18:54 |
| ElvishJerricco | raitobezarius: 1) The systemd-pcrphase units are conditional on an efi variable set by systemd-stub. 2) it's overly convoluted; you don't have to use systemd-stub and systemd-measure and all that garbage because you can actually just use the systemd-pcrphase executable and just extend PCR 11 without all the PE section nonsense | 13:21:33 |
| raitobezarius | I know about 1) | 13:21:47 |
| raitobezarius | I didn't know about 2) | 13:22:03 |
| raitobezarius | lanzaboote stub is to become the systemd-stub nextgen :P | 13:22:34 |
| raitobezarius | So 1) is not a problem | 13:22:37 |
| ElvishJerricco | Yea the reason to bind things against the section contents of a UKI would be as a poor man's secure boot | 13:22:58 |
| ElvishJerricco | so if you have actual secure boot and bind to pcr 7, it's not important | 13:23:09 |
| ElvishJerricco | and at that point pcrphase is only serving the purpose of phase control, so that the TPM only unlocks things during the appropriate boot phase | 13:23:36 |
| ElvishJerricco | So I guess you still need something like systemd-measure, except if you don't care about measuring UKI sections you could leave those out and just measure the phase path | 13:27:07 |
| ElvishJerricco | which I don't think is a mode that systemd-measure will do | 13:27:30 |
 baloo | authenticode PE hash thing is just a matter of filtering out the checksum and the signature section from the hash | 17:33:19 |
| baloo | other than that, it's a plain hash of the file. | 17:33:34 |
| baloo | ( https://github.com/m4b/goblin/pull/362/files ) | 17:34:54 |
| 8 May 2023 |
| pedrohlc changed their profile picture. | 13:33:33 |
| 12 May 2023 |
|  samueldr changed their profile picture. | 02:29:46 |
|  lassulus changed their profile picture. | 10:12:06 |
| lassulus changed their profile picture. | 13:39:13 |
