(oddlama.org)

189 points arjvik | 1 comments | 17 Jan 25 03:00 UTC | HN request time: 0.231s | source

Show context

keeperofdakeys ◴[17 Jan 25 05:15 UTC] No.42734325[source]▶

You can mitigate this by including PCRs that sign the kernel and initrd, however it means whenever you update you need to unlock manually. On Redhat-based distros this can be done with PCRs 8 and 9, though IIRC this may change on other distros.

Also AFAIK there is no standard way to guess the new PCRs on reboot so you can't pre-update them before rebooting. So you either need to unlock manually or use a network decryption like dracut-sshd.

replies(5): >>42734894 #>>42735137 #>>42735230 #>>42735303 #>>42740249 #

1. jansommer ◴[17 Jan 25 08:01 UTC] No.42735137[source]▶

>>42734325 #

You can use tpm2_policyauthorize and allow the PCR to change without having to manually unlock. This was not supported in TPM 1.2.

You can use it with Systemd.

https://github.com/tpm2-software/tpm2-tools/blob/master/man/...

↑

Bypassing disk encryption on systems with automatic TPM2 unlock