TPM event log #7752
Comments
|
Currently working on this: added logging of PCR extensions into the main system log, currently working on parsing |
We were holding onto this until we have selinux support, the long term plan is to do something similar to systemd-pcrlock to support disk unlock when firmware updates might change PCR 7 data, also maybe tie to more PCR values for disk encryption |
This needs to be a separate log file (hence waiting on landing selinux so only machined can touch the file), but i guess we can accept the PR |
Is the goal like https://github.com/okirch/pcr-oracle? Unsure how would that work with firmware update. My openSUSE systems required LUKS key to boot after a firmware update. Maybe we could predict the FW PCR value if the image to be loaded is in a raw format or has PCR values listed. |
yeh, kind of similar, also this would really help once it lands fwupd/fwupd#6318 |
|
Well, should be workable. Not sure how would that work if new firmware, for example, changes the way it hashes NVRAM records or something else like Secure Boot data, but that shouldn't change at least on minor bugfix updates |
|
This issue is stale because it has been open 180 days with no activity. Remove stale label or comment or this will be closed in 7 days. |
From the AsGO 2023 conference and systemd systemd/systemd#29004 we need to log the TPM events to prove we did extend PCR and also for future work for remote attestation and systemd-pcrlock functionality for Talos to support kexec
Ref: systemd/systemd#28891
The text was updated successfully, but these errors were encountered: