Jarkko Sakkinen@pid_eins any thoughts on this one?
Lennart Poettering@jarkko It's a long text, but the person writing this is basically saying that a TPM2 policy for a disk that only locks to PCR 7 or not even that is not secure? I mean, no shit sherlock, of course it doesn't. If you policy doesn't lock to anything then it doesn't lock to anything...
A full boot chain that gets things right would include at least a UKI with a signed PCR policy + a dynamic systemd-pcrlock policy. The combination should be reasonably secure, I'd claim, but if you have neither…
@jarkko … then you have only a very weak model, probably to the point it's not worth it.
What matters is that distributions actually start deploying UKIs like this, and enable systemd-pcrlock by default. This is not trivial, but some distros are further ahead there then others.
lj·rk@pid_eins @jarkko I suppose it's warranted in the sense that many distros are "not there yet" and that many resources (still) only talk about locking to PCR7. Your blog post from 4 years ago now is still one of the best resources (IMO) but only mentions PCR7 (because well, 4 years ago things were much worse):