Merged
Conversation
Drop the build-time PCR 11 pre-calculation and runtime verification against /boot/expected-pcr11. With auto-enrollment, this was only a configuration sanity check (catches forgotten set-pcr11 after signing) but not a security boundary — both the UKI and expected-pcr11 live on the same unencrypted ESP, and Secure Boot already verifies the UKI. Removed: - calculate-pcr11.py tool and its packaging - configure-disk-image set-pcr11 subcommand - show_pcr11_status() from configure-disk-image status - expectedPcr11 derivation from secure-boot.nix - set-pcr11 invocation from vm.nix prepareWritableDisk - --verify-pcr11 flag from read-firmware-pcrs - Expected value verification from report-pcrs - calculate-pcr11 from flake.nix exports and devShell - All references in docs Kept: - PCR 11 is still read from the TPM and included in attestation policy (read-firmware-pcrs always includes it now) - report-pcrs still sends PCR 11 to the auto-enrollment daemon - systemd-pcrphase services still extend PCR 11 at boot - All auto-enrollment test assertions about PCR 11 in policy
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Remove the build-time PCR 11 pre-calculation and runtime verification against /boot/expected-pcr11. With auto-enrollment, it was only an extra configuration check, but did not have any security benefits: both the UKI and expected-pcr11 live on the ESP, and Secure Boot already verifies the UKI.
Note: PCR 11 is still read from the TPM and included in attestation policy. It's just trusted on first use, during auto-enrollment. Just as the other PCRs we are attesting.