]> git.ipfire.org Git - thirdparty/systemd.git/commit
projects / thirdparty / systemd.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 0f477f1) | patch
cryptenroll/repart/creds: no longer default to binding against literal PCR 7
authorLennart Poettering <lennart@poettering.net>
Tue, 28 Jan 2025 08:48:48 +0000 (09:48 +0100)
committerLennart Poettering <lennart@poettering.net>
Thu, 30 Jan 2025 09:32:26 +0000 (10:32 +0100)
commit4b840414be3b2d6520599d86d2b718a37574aabf
tree2ea64e4663b1e995423c1cf8bd5d845f3e49e331tree | snapshot
parent0f477f1d0bd38c4f12aa27e8d34110ce43b12866commit | diff
cryptenroll/repart/creds: no longer default to binding against literal PCR 7

PCR 7 covers the SecureBoot policy, in particular "dbx", i.e. the
denylist of bad actors. That list is pretty much as frequently updated
as firmware these days (as fwupd took over automatic updating). This
means literal PCR 7 policies are problematic: they likely break soon,
and are as brittle as any other literal PCR policies.

hence, pick safer defaults, i.e. exclude PCR 7 from the default mask.
This means the mask is now empty.

Generally, people should really switch to signed PCR policies covering
PCR 11, in combination with systemd-pcrlock for the other PCRs.
NEWS diff | blob | blame | history
TODO diff | blob | blame | history
man/systemd-creds.xml diff | blob | blame | history
man/systemd-cryptenroll.xml diff | blob | blame | history
src/creds/creds.c diff | blob | blame | history
src/cryptenroll/cryptenroll.c diff | blob | blame | history
src/cryptsetup/cryptsetup.c diff | blob | blame | history
src/repart/repart.c diff | blob | blame | history
src/shared/tpm2-util.h diff | blob | blame | history
test/units/TEST-70-TPM2.cryptsetup.sh diff | blob | blame | history
Unnamed repository; edit this file 'description' to name the repository.