https://bugzilla.suse.com/show_bug.cgi?id=1230566 Bug ID: 1230566 Summary: Clarify TPM2 registers Classification: openSUSE Product: openSUSE Aeon Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Base Assignee: rbrown@suse.com Reporter: taaem@mailbox.org QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- The encryption wiki (https://en.opensuse.org/Portal:Aeon/Encryption#Default_Mode) states that the kernel cmdline is measured in the decryption phase, but I'm not sure this is actually happening. If I do the following: 1. Reboot 2. Press <space> to bring up sdboot 3. Edit the cmdline (eg. remove the quiet parameter or smth harmless) 4. continue to boot I don't get asked for my recovery key, which I should if the following line of the wiki is correct "Kernel and initrd (including kernel cmdline parameters)". In /etc/sysconfig/fde-tools I see that the used PCR registers are FDE_SEAL_PCR_LIST=0,4,5,7,9. The question is then what is measured in PCR 9, which in grub-land includes all kernel related things (https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/). It is noted there that sdboot measures the cmdline into PCR 12. I can confirm that PCR 12 is the cmdline by running /usr/lib/systemd/systemd-pcrlock: 12 █ kernel-config ipl ✓ be123ca906a997b2b373ef03d7d085ad9694d91f7fb03f04cc49852b0c093c1a F - String: initrd=\aeon\6.10.9-1-default\initrd-4e08a4db634c2b8bda0cb5a8673... But there it states that PCR 9 includes the following: 9 █ kernel-initrd event-tag - be123ca906a997b2b373ef03d7d085ad9694d91f7fb03f04cc49852b0c093c1a F 710-kernel-cmdline-initrd-entry Linux: kernel command line 9 █ kernel-initrd event-tag - fc402f2e93e4e4b56348e471f18de5acd3f60f5b0dac22adb25da65e8d8e936d F 710-kernel-cmdline-initrd-entry Linux: initrd which indicates that the cmdline is measured, but that doesn't explain why I can boot. I verified that the base setup is working by disabling secure boot, which triggered the recovery screen. Could someone verify, which registers are used and what they should exactly measure, because either my setup is broken (possible) or sdboot doesn't use PCR 9 in the way indicated by the wiki? -- You are receiving this mail because: You are on the CC list for the bug.