This creates a chicken-and-egg problem: we stuff the pcrlock policy into
a credential in the ESP, but credentials get measured into PCR 12, hence
PCR 12 is both input and output of the pcrlock logic, which makes
impossible to calculate.
Let's drop PCR 12 for now.
(We might want to pass the policy some other way one day, to avoid this,
but that's something for another day.)
Note that this still allows locking to PCR12 if people want to (for
example because they don't need this for the rootfs, and hence need no
cred passing via the ESP), this hence only changes the default, nothing
more.
Fixes: #33546
<para>If used with <command>predict</command> and <command>make-policy</command> this will override
which PCRs to include in the prediction and policy. If unspecified this defaults to PCRs 0-5, 7,
- 11-15. Note that these commands will not include any PCRs in the prediction/policy (even if specified
+ 11, 13-15. Note that these commands will not include any PCRs in the prediction/policy (even if specified
explicitly) if there are measurements in the event log that do not match the current PCR value, or
there are unrecognized measurements in the event log, or components define measurements not seen in
the event log.</para>
(UINT32_C(1) << TPM2_PCR_BOOT_LOADER_CONFIG) | \
(UINT32_C(1) << TPM2_PCR_SECURE_BOOT_POLICY) | \
(UINT32_C(1) << TPM2_PCR_KERNEL_BOOT) | \
- (UINT32_C(1) << TPM2_PCR_KERNEL_CONFIG) | \
+ /* Note: we do not add PCR12/TPM2_PCR_KERNEL_CONFIG here, since our pcrlock policy ends up in there, and this would hence result in a conceptual loop */ \
(UINT32_C(1) << TPM2_PCR_SYSEXTS) | \
(UINT32_C(1) << TPM2_PCR_SHIM_POLICY) | \
(UINT32_C(1) << TPM2_PCR_SYSTEM_IDENTITY))
projects / thirdparty / systemd.git / commitdiff
