-
Notifications
You must be signed in to change notification settings - Fork 521
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: provide an option to enforce SecureBoot for TPM enrollment #9005
Conversation
78aaf61
to
7eeba53
Compare
website/content/v1.8/reference/configuration/v1alpha1/config.md
Outdated
Show resolved
Hide resolved
internal/pkg/encryption/keys/tpm2.go
Outdated
} | ||
|
||
if efi.GetSetupMode() { | ||
return nil, nil, fmt.Errorf("failed to enroll the TPM2 key, as the system is in setup mode") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i'm confused on the error message
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SecureBoot enabled, but setup mode is enabled?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ahh now makes sense, since this has nothing to do with tpm2 enrollment, we could say not continuing due to secureboot enforcement check
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, thanks, I will update the message as well
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated now
Fixes siderolabs#8995 There is no security impact, as the actual SecureBoot state/configuration is measured into the PCR 7 and the disk encryption key unsealing is tied to this value. This is more to provide a way to avoid accidentally encrypting to the TPM while SecureBoot is not enabled. Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
7eeba53
to
cf5effa
Compare
/m |
Follow up for siderolabs#9005 Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Follow up for siderolabs#9005 Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes #8995
There is no security impact, as the actual SecureBoot state/configuration is measured into the PCR 7 and the disk encryption key unsealing is tied to this value.
This is more to provide a way to avoid accidentally encrypting to the TPM while SecureBoot is not enabled.