From: Luca Boccassi <bluca@debian.org>
Date: Thu, 30 Jan 2025 14:57:15 +0000 (+0000)
Subject: cryptenroll/repart/creds: no longer default to binding against literal PCR 7 (#36200)
X-Git-Tag: v258-rc1~1449
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=515ab90e4d5a5a742284986333ff5084546de7f7;p=thirdparty%2Fsystemd.git

cryptenroll/repart/creds: no longer default to binding against literal PCR 7 (#36200)

PCR 7 covers the SecureBoot policy, in particular "dbx", i.e. the
denylist of bad actors. That list is pretty much as frequently updated
as firmware these days (as fwupd took over automatic updating). This
means literal PCR 7 policies are problematic: they likely break soon,
and are as brittle as any other literal PCR policies.

hence, pick safer defaults, i.e. exclude PCR 7 from the default mask.
This means the mask is now empty.

Generally, people should really switch to signed PCR policies covering
PCR 11, in combination with systemd-pcrlock for the other PCRs.
---

515ab90e4d5a5a742284986333ff5084546de7f7