blog/content/post/2024-11-26-measured-boot-improvements.md: Add post

[miczyg1]

No description provided.

[pietrushnic]

Great post, thank you, my comments are not blocking.

[pietrushnic]

What would be the current mitigation for that?

Can't we just set up an admin password so a change of PCR banks would not be possible for someone who doesn't know the password?

[miczyg1]

In general even if an admin changes PCR banks, the change won't be applied or it will break measured boot.

The mitigation is like I described: be agile and calculate hashes for all currently enabled banks. Of course coreboot changes to event logging must follow.

Simply subject to future improvement. It is not about preventing the change of PCR banks

[pietrushnic]

In general even if an admin changes PCR banks, the change won't be applied or it will break measured boot.

So why are we not saying what mitigates that? Dear admin, do not change banks because it will break the system's trustworthiness. The admin must comply with that policy and should be informed about it. If the admin doesn't want users to change that policy, even accidentally, then prevent that by protecting the option with a password. That is the current mitigation. There should be a better one with the correct implementation, but that still needs to be implemented. We may be working on that. Or could you have a reference point to follow up?

[miczyg1]

@pietrushnic addressed all of the comments except #613 (comment) (treating it more like an open question)

[macpijan]

I reviewed as well, and resolved threads from @pietrushnic