|
|
|
|
|
|
by ivlad
1016 days ago
|
|
|
> it was perfectly reasonable to allow the user to take control of the initramfs prior to LUKS unlock! It’s still looks perfectly reasonable, just PCR should be fed with some value before that, maybe a hash of initramfs file? It seems to be reasonable as at this moment the state of the operating system differs from the one properly booted, which seems to fit the idea of secure boot. This way it would be possible to still unlock LUKS with a pass phrase but not access TPM keys locked for configuration when initramfs shell is not running. |
|
|