Hacker News new | ask | show | jobs
by mjg59 1103 days ago
The TPM isn't involved in secure boot. Could you provide some more details about what went wrong?
1 comments
lostmsu 1103 days ago
It is about full disk encryption with automatic unlock during boot. One needs to make TPM dependent on a successful secure boot to allow access to decryption. The boot completes no problem, but the TPM entry that controls access needs to be manually recreated with each new kernel update.

See https://gist.github.com/jdoss/777e8b52c8d88eb87467935769c98a... , the bit "then auto volume decryption on your next reboot will fail". This makes sense.

link
mjg59 1101 days ago
Using anything other than PCR 7 is going to make it very fragile, yes - I have no idea why that doc is recommending using PCR 4 as well.
link
lostmsu 1100 days ago
To defend against an attacker with physical access to an offline machine you need to verify anything that the attacker can overwrite without the encryption key. Aren't bootloader and kernel on the writable unencrypted partition?
link
mjg59 1100 days ago
If you have secure boot enabled, how does the attacker replace the kernel or bootloader?
link
lostmsu 1100 days ago
Pull the drive out, insert it into his machine, replace, then insert it back.
link
mjg59 1100 days ago
And now the signature doesn't match, so the system doesn't boot
link