mirror of
https://github.com/siderolabs/talos.git
synced 2025-10-26 22:11:38 +01:00
166d75fe88
The previous flow was using TPM PCR 11 values to bound the policy which means TPM cannot unseal when UKI changes. Now it's fixed to use PCR 7 which is bound to the SecureBoot state (SecureBoot status and Certificates). This provides a full chain of trust bound to SecureBoot state and signed PCR signature. Also the code has been refactored to use PolicyCalculator from the TPM library. Signed-off-by: Noel Georgi <git@frezbo.dev>
15 lines
481 B
Go
15 lines
481 B
Go
// This Source Code Form is subject to the terms of the Mozilla Public
|
|
// License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
|
|
// Package tpm2 provides TPM2.0 related functionality helpers.
|
|
package tpm2
|
|
|
|
// SealedResponse is the response from the TPM2.0 Seal operation.
|
|
type SealedResponse struct {
|
|
SealedBlobPrivate []byte
|
|
SealedBlobPublic []byte
|
|
KeyName []byte
|
|
PolicyDigest []byte
|
|
}
|