]> git.ipfire.org Git - thirdparty/systemd.git/commit
projects / thirdparty / systemd.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: d90a05b) | patch
vmspawn: disable all PCR banks but SHA256
authorLennart Poettering <lennart@poettering.net>
Fri, 23 Feb 2024 16:23:06 +0000 (17:23 +0100)
committerLennart Poettering <lennart@poettering.net>
Fri, 23 Feb 2024 16:27:56 +0000 (17:27 +0100)
commit519bad6c2c23d3c2dc9558878becb485f3ae9057
treea3ebd390c392b6b7dd09a54e8654263862b4cb88tree | snapshot
parentd90a05b68faf38eb3b67664ed2a7bbd263d19f2ecommit | diff
vmspawn: disable all PCR banks but SHA256

By default swtpm runs with four banks: SHA1, SHA256, SHA384, SHA512.
This means all data that is part of the boot will be hashed four times,
which slows everything down.

Let's restrict things to SHA256 only, which is the one that really
matters. SHA1 is no up to today's standards anyway, and noone really
consumes the other two, hence no point in enabling this.

To disable the banks we need to call swtpm_setup with --pcr-banks. Do
so.
src/vmspawn/vmspawn-scope.c diff | blob | blame | history
src/vmspawn/vmspawn-scope.h diff | blob | blame | history
src/vmspawn/vmspawn.c diff | blob | blame | history
Unnamed repository; edit this file 'description' to name the repository.