talos

mirrors/talos

Fork 0

mirror of https://github.com/siderolabs/talos.git synced 2025-10-28 15:01:13 +01:00

Commit Graph

Author	SHA1	Message	Date
Dmitriy Matrenichev	19f15a840c	chore: bump golangci-lint to 1.57.0 Fix all discovered issues. Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>	2024-03-21 01:06:53 +03:00
Noel Georgi	166d75fe88	fix: tpm2 encrypt/decrypt flow The previous flow was using TPM PCR 11 values to bound the policy which means TPM cannot unseal when UKI changes. Now it's fixed to use PCR 7 which is bound to the SecureBoot state (SecureBoot status and Certificates). This provides a full chain of trust bound to SecureBoot state and signed PCR signature. Also the code has been refactored to use PolicyCalculator from the TPM library. Signed-off-by: Noel Georgi <git@frezbo.dev>	2023-07-14 23:58:59 +05:30

Author

SHA1

Message

Date

Dmitriy Matrenichev

19f15a840c

chore: bump golangci-lint to 1.57.0

Fix all discovered issues.

Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>

2024-03-21 01:06:53 +03:00

Noel Georgi

166d75fe88

fix: tpm2 encrypt/decrypt flow

The previous flow was using TPM PCR 11 values to bound the policy which
means TPM cannot unseal when UKI changes. Now it's fixed to use PCR 7
which is bound to the SecureBoot state (SecureBoot status and
Certificates). This provides a full chain of trust bound to SecureBoot
state and signed PCR signature.

Also the code has been refactored to use PolicyCalculator from the TPM
library.

Signed-off-by: Noel Georgi <git@frezbo.dev>

2023-07-14 23:58:59 +05:30

2 Commits