ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-18 20:47:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

initrd/bin/kexec-unseal-key: never show final PCRs content but in DEBUG mode/Recovery Shell

Browse Source 
Next steps on this is introspection and PCRs reconstruction helpers, which will output in DEBUG and be usable from recovery shell.
We have to keep in mind that providing those tools is useful in DEBUG mode and for users having access to Recovery Shell.
But currently, having access to cbmem -L output and final PCRs content is making it too easy for Evil Maid to know what needs to be hardcoded to pass measured boot.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
This commit is contained in:
Thierry Laurion 2024-01-19 12:34:37 -05:00
parent 6db03b0bdd
commit 4f2b1b68b0
No known key found for this signature in database
GPG Key ID: 9A53E1BB3FF00461
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
initrd/bin/kexec-unseal-key
View File

@ -38,7 +38,7 @@ for tries in 1 2 3; do
exit 0
fi
pcrs
DEBUG $(pcrs)
warn "Unable to unseal disk encryption key"
done