]> git.ipfire.org Git - thirdparty/systemd.git/commit
projects / thirdparty / systemd.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 759cf7e) | patch
measure: drop incomplete support for PCRs != 11
authorLennart Poettering <lennart@poettering.net>
Tue, 2 Jul 2024 07:14:38 +0000 (09:14 +0200)
committerLennart Poettering <lennart@poettering.net>
Wed, 3 Jul 2024 14:15:04 +0000 (16:15 +0200)
commitc8bcf7ecf715aadd077cb2850e24122bebf19b6e
treeb6b49054b06ef206896ab0b499d8c7910772a209tree | snapshot
parent759cf7e10ae774342835dcb962e6b1144e9bc1a4commit | diff
measure: drop incomplete support for PCRs != 11

At this point we have a clearer model:

* systemd-measure should be used for measuring UKIs on vendor build
  systems, i.e. only cover stuff predictable by the OS vendor, and
  identical on all systems. And that is pretty much only PCR 11.

* systemd-pcrlock should cover the other PCRs, which carry inherently
  local information, and can only be predicted locally and not already
  on vendor build systems.

Because of that, let's not bother with any PCRs except for 11 in
systemd-measure. This was added at a time where systemd-pcrlock didn't
exist yet, and hence it wasn't clear how this will play out in the end.
man/systemd-measure.xml diff | blob | blame | history
src/boot/measure.c diff | blob | blame | history
Unnamed repository; edit this file 'description' to name the repository.