morgan/systemd
1
0
Fork 0
mirror of https://github.com/morgan9e/systemd synced 2026-04-15 00:47:10 +09:00
Code Issues Packages Projects Releases Wiki Activity

pcrlock: don't lock PCR 12 by default

Browse Source 
This creates a chicken-and-egg problem: we stuff the pcrlock policy into
a credential in the ESP, but credentials get measured into PCR 12, hence
PCR 12 is both input and output of the pcrlock logic, which makes
impossible to calculate.

Let's drop PCR 12 for now.

(We might want to pass the policy some other way one day, to avoid this,
but that's something for another day.)

Note that this still allows locking to PCR12 if people want to (for
example because they don't need this for the rootfs, and hence need no
cred passing via the ESP), this hence only changes the default, nothing
more.

Fixes: #33546
This commit is contained in:
Lennart Poettering
2025-10-29 16:43:31 +01:00
committed by Luca Boccassi
parent b1856a6c4a
commit 19bf12bff3
2 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
man/systemd-pcrlock.xml
View File

@@ -463,7 +463,7 @@
<para>If used with <command>predict</command> and <command>make-policy</command> this will override
which PCRs to include in the prediction and policy. If unspecified this defaults to PCRs 0-5, 7,
11-15. Note that these commands will not include any PCRs in the prediction/policy (even if specified
11, 13-15. Note that these commands will not include any PCRs in the prediction/policy (even if specified
explicitly) if there are measurements in the event log that do not match the current PCR value, or
there are unrecognized measurements in the event log, or components define measurements not seen in
the event log.</para>

2
src/pcrlock/pcrlock.c
View File

@@ -118,7 +118,7 @@ STATIC_DESTRUCTOR_REGISTER(arg_entry_token, freep);
(UINT32_C(1) << TPM2_PCR_BOOT_LOADER_CONFIG) | \
(UINT32_C(1) << TPM2_PCR_SECURE_BOOT_POLICY) | \
(UINT32_C(1) << TPM2_PCR_KERNEL_BOOT) | \
(UINT32_C(1) << TPM2_PCR_KERNEL_CONFIG) | \
/* Note: we do not add PCR12/TPM2_PCR_KERNEL_CONFIG here, since our pcrlock policy ends up in there, and this would hence result in a conceptual loop */ \
(UINT32_C(1) << TPM2_PCR_SYSEXTS) | \
(UINT32_C(1) << TPM2_PCR_SHIM_POLICY) | \
(UINT32_C(1) << TPM2_PCR_SYSTEM_IDENTITY))