Is there support for PCR >7? #445

New issue

Open

opened 2025-03-13 21:43:24 +00:00 by yuannan · 0 comments

yuannan commented

2025-03-13 21:43:24 +00:00

(Migrated from github.com)

I've tested the results of the PCR with tmp2-tool:tpm2_pcrread which told me that only PCR 4, 9, and 11 changed on booting a different system.

However, you cannot rely on PCR 4, 9, and 11 as they change along with whichever derivation you booted. Even if the derivation that you booted has only just changed 1 package not related to security.

I know lanzaboote is still in development, but I wanted to ask if there is anything currently that allows for booting different derivations without having to renroll PCR9 and 11.

I think there are currently 2 ways to do this:

Just use PCR <7, this is not recommended according to a few sources.
Automatically renroll PCR 9 and 11, however, I don't think this is possible as you have to boot them first.

Are there plans to add other registers to this so that the securely booted image can be along with firmware variables to ensure that the entire boot chain is secure?

I've tested the results of the PCR with `tmp2-tool`:`tpm2_pcrread` which told me that only PCR 4, 9, and 11 changed on booting a different system. However, you cannot rely on PCR 4, 9, and 11 as they change along with whichever derivation you booted. Even if the derivation that you booted has only just changed 1 package not related to security. I know lanzaboote is still in development, but I wanted to ask if there is anything currently that allows for booting different derivations without having to renroll PCR9 and 11. I think there are currently 2 ways to do this: 1. Just use PCR <7, this is not recommended according to a few sources. 2. Automatically renroll PCR 9 and 11, however, I don't think this is possible as you have to boot them first. Are there plans to add other registers to this so that the securely booted image can be along with firmware variables to ensure that the entire boot chain is secure?