On 2024-04-09 15:11, Martin Wilck via openSUSE Factory wrote:
On Mon, 2024-04-08 at 20:30 +0300, Andrei Borzenkov wrote:
Well, conceptually it is not much different to locking LUKS password to the raw PCR values. After all, you *do* lock to the raw PCR values, just several possible values.
I missed this part in Alberto's initial announcement of the new approach. If this is true, it looks like a step back wrt the previous signed policy approach, or am I missing something?
I do not understand Andrei's analogy, but IMO it is a step forward. In any case (signed policy nor nvindex policy) there is not a lock in raw PCR values. There is a calculation of a policy hash (that this time was extended to support PolicyOR), and instead of signing them, now it is stored inside the TPM2 NVRAM. In both cases the LUKS2 password in encrypted using the SRK from the TPM2.
Martin