Skip to content

Add support for signing PCR policies for initializing NvPCRs#4377

Open
chrisccoulson wants to merge 1 commit into
systemd:mainfrom
chrisccoulson:add-sign-nvpcr-init
Open

Add support for signing PCR policies for initializing NvPCRs#4377
chrisccoulson wants to merge 1 commit into
systemd:mainfrom
chrisccoulson:add-sign-nvpcr-init

Conversation

@chrisccoulson

Copy link
Copy Markdown

The way that NvPCRs are initialized and anchored in systemd is changing,
and to support this, the UKI needs to include signed PCR policies that
can authorize NvPCR initialization in early boot. This is enabled with a
new --sign-nvpcr-init option for ukify.

This adds a new "SignNvPCRInit=" option to control this. The default is
"auto" which will turn on this option if PCR signing is enabled and
ukify is new enough.

The corresponding systemd PR is systemd/systemd#42796

The way that NvPCRs are initialized and anchored in systemd is changing,
and to support this, the UKI needs to include signed PCR policies that
can authorize NvPCR initialization in early boot. This is enabled with a
new --sign-nvpcr-init option for ukify.

This adds a new "SignNvPCRInit=" option to control this. The default is
"auto" which will turn on this option if PCR signing is enabled and
ukify is new enough.

The corresponding systemd PR is systemd/systemd#42796
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

1 participant