You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Adding support for using the final values of PCRs would allow for the firmware to remain part of a policy across firmware updates.
Describe alternatives you've considered
While pcrlock files can be generated afterwards with verification, this would require either the firmware being removed from the policy or some form of recovery.
Removing the firmware from the policy would prevent the user from revoking prior versions and leave the machine potentially vulnerable to firmware downgrade attacks.
The systemd version you checked that didn't have the feature you are asking for
255
The text was updated successfully, but these errors were encountered:
Component
other
Is your feature request related to a problem? Please describe
Some manufacturers provide PCR values with their firmware e.g. HP. However they only provide the final value of the PCRs and not an eventlog which could be used with pcrlock files. For an example, see the Fixes section on https://support.hp.com/gb-en/drivers/swdetails/hp-z440-workstation/6978828/swItemId/vc-324348-1
Describe the solution you'd like
Adding support for using the final values of PCRs would allow for the firmware to remain part of a policy across firmware updates.
Describe alternatives you've considered
While pcrlock files can be generated afterwards with verification, this would require either the firmware being removed from the policy or some form of recovery.
Removing the firmware from the policy would prevent the user from revoking prior versions and leave the machine potentially vulnerable to firmware downgrade attacks.
The systemd version you checked that didn't have the feature you are asking for
255
The text was updated successfully, but these errors were encountered: