(oddlama.org)

189 points arjvik | 1 comments | 17 Jan 25 03:00 UTC | HN request time: 0.267s | source

Show context

keeperofdakeys ◴[17 Jan 25 05:15 UTC] No.42734325[source]▶

You can mitigate this by including PCRs that sign the kernel and initrd, however it means whenever you update you need to unlock manually. On Redhat-based distros this can be done with PCRs 8 and 9, though IIRC this may change on other distros.

Also AFAIK there is no standard way to guess the new PCRs on reboot so you can't pre-update them before rebooting. So you either need to unlock manually or use a network decryption like dracut-sshd.

replies(5): >>42734894 #>>42735137 #>>42735230 #>>42735303 #>>42740249 #

1. jakogut ◴[17 Jan 25 16:57 UTC] No.42740249[source]▶

>>42734325 #

At least for PCR 7, it's well specified and documented how the digest is generated. You can dump the component digests of a PCR using `tpm2_eventlog`, and I've written a tool that can be used to populate the requisite data structures for hashing.

https://github.com/balena-os/tcgtool

↑

Bypassing disk encryption on systems with automatic TPM2 unlock