From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 16 Mar 2022 10:00:27 +0000 (+0100)
Subject: NEWS: add entry announcing PCR change
X-Git-Tag: v251-rc1~136^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F22761%2Fhead;p=thirdparty%2Fsystemd.git

NEWS: add entry announcing PCR change
---

diff --git a/NEWS b/NEWS
index 248cc0fdb40..712c0fc572b 100644
--- a/NEWS
+++ b/NEWS
@@ -109,6 +109,19 @@ CHANGES WITH 251:
           250. For newer kernels, non-x86 systems, or older x86 systems,
           there should be no visible changes.
 
+        * sd-boot will now measure the kernel command line into TPM PCR 12
+          rather than PCR 8. This improves usefulness of the measurements on
+          sytems where sd-boot is chainloaded from Grub. Grub measures all
+          commands its executes into PCR 8, which makes it very hard to use
+          reasonably, hence separate ourselves from that and use PCR 12
+          instead, which is already what certain Ubuntu editions use it for. To
+          retain compatibility with systems running older systemd systems a new
+          Meson option 'efi-tpm-pcr-compat' has been added (which defaults to
+          false). If enabled, the measurement is done twice: into the new-style
+          PCR 12 *and* the old-style PCR 8. It's strongly advised to migrate
+          all users to PCR 12 for this purpose in the long run, as we intend to
+          remove this compatibility feature again in two year's time.
+
 CHANGES WITH 250:
 
         * Support for encrypted and authenticated credentials has been added.