|
|
|
|
|
|
by wiktor-k
1022 days ago
|
|
|
PCRs being problematic was actually one of the issues policy mechanism in TPM 2.0 was meant to resolve (see "Non-Brittle PCRs (New in 2.0)" in [0]). Tldr version is that you'd authorize OS manufacturer's kernel signing key to use the TPM key so that each time your OS vendor signs the kernel it's OK for the TPM. Sadly I don't think I've seen this deployed in the wild. [0]: https://ebrary.net/24725/computer_science/quick_loading |
|
|