You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
To improve the experience for users of encrypted root partitions, measured boot should be supported. This allows the TPM to unlock the root drive, when the kernel, initrd, cmdine and firmware are in a predicted state. The actual state would have to be measured at boot time. systemd-stub supports this, but I'm not sure about Lanzaboote
There are already tools to predict the PCR values, e.g. pcr-oracle, though it's not available for nixos yet
This also supports multiple entries and a secure system boot doesn't depend on secure boot anymore but the actual state of the boot files.
In a perfect world, an encrypted system would use the predictions to auto unlock on boot in case the files haven't been tempered with.
The text was updated successfully, but these errors were encountered:
To improve the experience for users of encrypted root partitions, measured boot should be supported. This allows the TPM to unlock the root drive, when the kernel, initrd, cmdine and firmware are in a predicted state. The actual state would have to be measured at boot time. systemd-stub supports this, but I'm not sure about Lanzaboote
There are already tools to predict the PCR values, e.g. pcr-oracle, though it's not available for nixos yet
This also supports multiple entries and a secure system boot doesn't depend on secure boot anymore but the actual state of the boot files.
In a perfect world, an encrypted system would use the predictions to auto unlock on boot in case the files haven't been tempered with.
The text was updated successfully, but these errors were encountered: