You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've tested the results of the PCR with tmp2-tool:tpm2_pcrread which told me that only PCR 4, 9, and 11 changed on booting a different system.
However, you cannot rely on PCR 4, 9, and 11 as they change along with whichever derivation you booted. Even if the derivation that you booted has only just changed 1 package not related to security.
I know lanzaboote is still in development, but I wanted to ask if there is anything currently that allows for booting different derivations without having to renroll PCR9 and 11.
I think there are currently 2 ways to do this:
Just use PCR <7, this is not recommended according to a few sources.
Automatically renroll PCR 9 and 11, however, I don't think this is possible as you have to boot them first.
Are there plans to add other registers to this so that the securely booted image can be along with firmware variables to ensure that the entire boot chain is secure?
The text was updated successfully, but these errors were encountered:
I've tested the results of the PCR with
tmp2-tool:tpm2_pcrreadwhich told me that only PCR 4, 9, and 11 changed on booting a different system.However, you cannot rely on PCR 4, 9, and 11 as they change along with whichever derivation you booted. Even if the derivation that you booted has only just changed 1 package not related to security.
I know lanzaboote is still in development, but I wanted to ask if there is anything currently that allows for booting different derivations without having to renroll PCR9 and 11.
I think there are currently 2 ways to do this:
Are there plans to add other registers to this so that the securely booted image can be along with firmware variables to ensure that the entire boot chain is secure?
The text was updated successfully, but these errors were encountered: