forked from osresearch/safeboot
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsafeboot.conf
58 lines (46 loc) · 2.09 KB
/
safeboot.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# /etc/safeboot/safeboot.conf
# Don't edit this file directly; it is maintained by the package
# manager. Instead add items to /etc/safeboot/local.conf to override
# these default values.
# Ubuntu 20.04 sets a symlink to the latest kernel and initrd
# so that it is easy to find. If your update-initramfs doesn't,
# then you will have to override the paths to the latest kernel.
KERNEL=/boot/vmlinuz
INITRD=/boot/initrd.img
# The EFI boot menu entries and ESP directory
EFIDIR=/boot/efi/EFI
RECOVERY_TARGET=recovery
LINUX_TARGET=linux
# SIP mode defaults to disabled -- run `safeboot sip-init` to configure
# it, which will make the necessary changes to the various filesystems.
# However it is potentially dangerous!
SIP=0
# The root filesystem device and the dmverity hash device are not
# set in this file; the /etc/safeboot/local.conf is the place to configure them.
# sbin/safeboot will try to guess the right ones for your system.
#ROOTDEV=/dev/mapper/vgubuntu-root
#HASHDEV=/dev/mapper/vgubuntu-hashes
# The TPM PCRs used for sealing the key (in addition to the boot mode PCR)
PCRS=0,2,4,5,7
BOOTMODE_PCR=14
# The TPM NVRAM used to store the upgrade counter.
# Each time a new kernel is signed the counter at this nvram index
# can be incremented to invalidate any older signatures
TPM_NV_VERSION=0x1500010
# The TPM sealed secret is stored at this handle
TPM_SEALED_HANDLE=0x81110000
# PCR Signature is stored in this UEFI NVRAM variable
PCR_SIGNATURE=SafebootPCR-8620893e-c793-457e-8a02-41fc83eef3ce
# Is a PIN required?
SEAL_PIN=1
# The rootdev, dmverity parameters, TPM PCRs, etc will be passed
# in by the safeboot tool; this command line is only the Linux runtime
# options and things like IOMMU configuratation.
LINUX_COMMANDLINE="ro quiet splash vt.handoff=7 intel_iommu=on efi=disable_early_pci_dma lockdown=confidentiality"
# Recovery is not quiet, so that things can be diagnosed
# Also doesn't turn on all of the protections so that it is possible to patch things.
RECOVERY_COMMANDLINE="ro lockdown=none"
# Signing certificate
# TODO: allow non-hardware token storage
CERT=/etc/safeboot/cert.pem
KEY="pkcs11:"