On 13.04.2024 14:54, Andrei Borzenkov wrote:
On 10.04.2024 11:45, aplanas wrote:
Now, systemd-pcrlock also supports the user-supplied PIN instead of auto-generating it.
Yes, we can make it explicit during the first enrollment.
I think it should really be the default. The cryptographically strong recovery PIN should be auto-generated (not entered manually) and shown to the user like is the case with LUKS recovery key now.
That makes sense for me.
I looked if there is a reasonably simple way to extract the generated pin using tmp2-tools, but whatever I did policy session always failed at tpm2_policyauthorizenv step. I am not sure what is missing, but systemd-pcrlock first starts encryption session and the references it when starting policy session and this mode is not supported by tpm2_startauthsession. So it looks like either pin needs to be supplied externally or systemd-pcrlock modified to (optionally) print generated pin.
OK, I was able to recover stored pin only to realize that it is not pin itself, but rather the final authorization hash derived from it. Which means, while it can be used to manually write (recomputed) policy into NVIndex, it cannot be used as input to systemd-pcrlock.