talos

mirrors/talos

Fork 0

mirror of https://github.com/siderolabs/talos.git synced 2025-10-27 14:31:11 +01:00

Commit Graph

Author	SHA1	Message	Date
Noel Georgi	166d75fe88	fix: tpm2 encrypt/decrypt flow The previous flow was using TPM PCR 11 values to bound the policy which means TPM cannot unseal when UKI changes. Now it's fixed to use PCR 7 which is bound to the SecureBoot state (SecureBoot status and Certificates). This provides a full chain of trust bound to SecureBoot state and signed PCR signature. Also the code has been refactored to use PolicyCalculator from the TPM library. Signed-off-by: Noel Georgi <git@frezbo.dev>	2023-07-14 23:58:59 +05:30

Author

SHA1

Message

Date

Noel Georgi

166d75fe88

fix: tpm2 encrypt/decrypt flow

The previous flow was using TPM PCR 11 values to bound the policy which
means TPM cannot unseal when UKI changes. Now it's fixed to use PCR 7
which is bound to the SecureBoot state (SecureBoot status and
Certificates). This provides a full chain of trust bound to SecureBoot
state and signed PCR signature.

Also the code has been refactored to use PolicyCalculator from the TPM
library.

Signed-off-by: Noel Georgi <git@frezbo.dev>

2023-07-14 23:58:59 +05:30

1 Commits