Skip to content
This repository was archived by the owner on Oct 10, 2023. It is now read-only.

[WIP] pcr phases #240

Draft
ElvishJerricco wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

[WIP] pcr phases #240

ElvishJerricco wants to merge 1 commit into from

Conversation

@ElvishJerricco
Copy link
Contributor

@ElvishJerricco ElvishJerricco commented Apr 14, 2023

Description

This enables the use of systemd's pcrphase units along with systemd-measure to lock TPM2 secrets to specific boot phases. The pcr-test.nix file demonstrates a LUKS volume that will only unlock during initrd (it also demonstrates that it won't unlock when secure boot settings have changed, but that's using simpler TPM2 locking).

This is authorized by a new key pair that the LUKS volume can trust upon TPM2 enrollment. As long as that key is only used to sign certain phases, that LUKS key can only be unlocked during those phases.

Checklist
  • Built with cargo build
  • Formatted with cargo fmt
  • Linted with cargo clippy
  • Ran tests with cargo test
  • Added or updated relevant tests (leave unchecked if not applicable)
  • Added or updated relevant documentation (leave unchecked if not applicable)

@ElvishJerricco ElvishJerricco marked this pull request as draft April 14, 2023 16:06
@ElvishJerricco ElvishJerricco force-pushed the pcr-phases branch 2 times, most recently from 0d4e983 to 4718f45 Compare April 14, 2023 16:27
@ElvishJerricco ElvishJerricco mentioned this pull request May 20, 2023
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ElvishJerricco