bootspec-secureboot icon indicating copy to clipboard operation
bootspec-secureboot copied to clipboard
verified publisher icon DeterminateSystems

[WIP] pcr phases

Open ElvishJerricco opened this issue 2 years ago • 0 comments

Description

This enables the use of systemd's pcrphase units along with systemd-measure to lock TPM2 secrets to specific boot phases. The pcr-test.nix file demonstrates a LUKS volume that will only unlock during initrd (it also demonstrates that it won't unlock when secure boot settings have changed, but that's using simpler TPM2 locking).

This is authorized by a new key pair that the LUKS volume can trust upon TPM2 enrollment. As long as that key is only used to sign certain phases, that LUKS key can only be unlocked during those phases.

Checklist
  • [x] Built with cargo build
  • [x] Formatted with cargo fmt
  • [ ] Linted with cargo clippy
  • [x] Ran tests with cargo test
  • [ ] Added or updated relevant tests (leave unchecked if not applicable)
  • [ ] Added or updated relevant documentation (leave unchecked if not applicable)

ElvishJerricco avatar Apr 14 '23 16:04 ElvishJerricco