From: Lennart Poettering Date: Wed, 29 Oct 2025 15:43:31 +0000 (+0100) Subject: pcrlock: don't lock PCR 12 by default X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=19bf12bff36cf1e6dbc282c09742f951e380cc6e;p=thirdparty%2Fsystemd.git pcrlock: don't lock PCR 12 by default This creates a chicken-and-egg problem: we stuff the pcrlock policy into a credential in the ESP, but credentials get measured into PCR 12, hence PCR 12 is both input and output of the pcrlock logic, which makes impossible to calculate. Let's drop PCR 12 for now. (We might want to pass the policy some other way one day, to avoid this, but that's something for another day.) Note that this still allows locking to PCR12 if people want to (for example because they don't need this for the rootfs, and hence need no cred passing via the ESP), this hence only changes the default, nothing more. Fixes: #33546 --- diff --git a/man/systemd-pcrlock.xml b/man/systemd-pcrlock.xml index 4d1a7200c5b..521f3a8bde4 100644 --- a/man/systemd-pcrlock.xml +++ b/man/systemd-pcrlock.xml @@ -463,7 +463,7 @@ If used with predict and make-policy this will override which PCRs to include in the prediction and policy. If unspecified this defaults to PCRs 0-5, 7, - 11-15. Note that these commands will not include any PCRs in the prediction/policy (even if specified + 11, 13-15. Note that these commands will not include any PCRs in the prediction/policy (even if specified explicitly) if there are measurements in the event log that do not match the current PCR value, or there are unrecognized measurements in the event log, or components define measurements not seen in the event log. diff --git a/src/pcrlock/pcrlock.c b/src/pcrlock/pcrlock.c index 9d167ef9194..3a294a91711 100644 --- a/src/pcrlock/pcrlock.c +++ b/src/pcrlock/pcrlock.c @@ -118,7 +118,7 @@ STATIC_DESTRUCTOR_REGISTER(arg_entry_token, freep); (UINT32_C(1) << TPM2_PCR_BOOT_LOADER_CONFIG) | \ (UINT32_C(1) << TPM2_PCR_SECURE_BOOT_POLICY) | \ (UINT32_C(1) << TPM2_PCR_KERNEL_BOOT) | \ - (UINT32_C(1) << TPM2_PCR_KERNEL_CONFIG) | \ + /* Note: we do not add PCR12/TPM2_PCR_KERNEL_CONFIG here, since our pcrlock policy ends up in there, and this would hence result in a conceptual loop */ \ (UINT32_C(1) << TPM2_PCR_SYSEXTS) | \ (UINT32_C(1) << TPM2_PCR_SHIM_POLICY) | \ (UINT32_C(1) << TPM2_PCR_SYSTEM_IDENTITY))