You are not logged in.
Pages: 1
Topic closed
Hi,
I have a laptop which I'm using to play around with security settings.
I have an unencrypted /boot and an encrypted / partition.
I use secureboot and also use the tpm chip to unlock the encrypted partition.
I note the wiki wiki describes the various PCR registers, but it doesn't leave me any the wiser about which ones to use.
Searching the web for guides, I see lots of variation in the suggested registers.
For instance, the above linked page gives an example (not a recommendation per se) of using 0+7
The Dm-verity wiki page recommends PCRs 0+1+5+7
The tpm-totp tool binds by default to either PCRs 0+2+4 or 0+2+4+6 (see https://github.com/tpm2-software/tpm2-totp/issues/90)
At one stage I tried 0+1+2+3+4+5+6+7, but it was constantly asking me for my password so that's probably too extreme a setting.
For a laptop, does anyone have sane guidance on recommended PCRs to use?
Last edited by multipitch (2022-09-13 20:57:42)
Offline
I use only 7 as it's systemd-cryptenroll default :
For most applications it should be sufficient to bind against PCR 7 (and possibly PCR 14, if shim/MOK is desired), as this includes measurements of the trusted certificates (and possibly hashes) that are used to validate all components of the boot process up to and including the OS kernel. In order to simplify firmware and OS version updates it's typically not advisable to include PCRs such as 0 and 2 in the binding of the enrollment, since the program code they cover should already be protected indirectly through the certificates measured into PCR 7. Validation through these certificates is typically preferable over validation through direct measurements as it is less brittle in context of OS/firmware updates: the measurements will change on every update, but code signatures likely will validate against pre-existing certificates.
Offline
The OP has not been back since November, so I am going to consider this thread abandoned and close it.
multipitch, if you come back and want this thread reopened, use the Report link to notify staff.
Offline
Pages: 1
Topic closed