On 27.03.2024 21:19, aplanas wrote:
On 2024-03-27 17:38, Andrei Borzenkov wrote:
On 27.03.2024 20:26, aplanas wrote:
I can prepare an update to sdbootutil that will do the migration from pcr-oracle to pcrlock, or at least I will document how it can be done manually (is as simple as removing the tpm2-* files from the ESP and /var and calling `sdbootutil update-predictions`)
You mean - after sdbootutil has been updated?
Yes.
There are no tpm2-* files in /var, they were in /etc/systemd. And one needs to install systemd-experimental which provides systemd-pcrlock. And even after that I cannot make it work. I run "sdbootutil update-predictions", I run "transactional-update initrd", I see pcrlock hashes in /var/lib/pcrlock.d (multiple e.g. for initrd), but I am asked for passphrase on boot.