Lennart Poettering on Nostr: If you ask me, it's a fundamental requirement for any modern Linux-based OS to ...
If you ask me, it's a fundamental requirement for any modern Linux-based OS to provide boot time integrity and as baseline provide unattended disk encryption bound to it. To make this happen, we added two essential TPM policy concepts to systemd-cryptenroll/systemd-cryptsetup:
1. Signed TPM PCR policies allow locking a disk to a public signing key of an OS vendor, ensuring that disks can only be unlocked if an OS signed by said vendor is booted.
Published at
2024-10-31 21:06:46Event JSON
{
"id": "7feff8e18dcefbf45f3f07957871b6e0143698a6d4c769564bb4f0da7d767319",
"pubkey": "1d95c32d9a9d95a54f98eb2eaa156f3d3a71dc49eca2c960b2b89962758f1cc0",
"created_at": 1730408806,
"kind": 1,
"tags": [
[
"e",
"56bb35c25da8234796df7cdc7e83edfdef9876dc3dcc8c7bb76fd40bddd5df5f",
"wss://relay.mostr.pub",
"reply"
],
[
"proxy",
"https://mastodon.social/users/pid_eins/statuses/113404071523946521",
"activitypub"
]
],
"content": "If you ask me, it's a fundamental requirement for any modern Linux-based OS to provide boot time integrity and as baseline provide unattended disk encryption bound to it. To make this happen, we added two essential TPM policy concepts to systemd-cryptenroll/systemd-cryptsetup:\n\n1. Signed TPM PCR policies allow locking a disk to a public signing key of an OS vendor, ensuring that disks can only be unlocked if an OS signed by said vendor is booted.",
"sig": "ca6f32a5a3f201d507e6f2fed3a220e81c544985c067540aca0f5f1a5cb1451c5f421307b2ef43a23ca506456fc7b8adc8fd9e2f5a60697a266907ca7cef2d13"
}
