cryptsetup: add tpm2-measure-pcr= and tpm2-measure-bank= crypttab options

These options allow measuring the volume key used for unlocking the volume to a TPM2 PCR. This is ideally used for the volume key of the root file system and can then be used to bind other resources to the root file system volume in a secure way. See: #24503
author: Lennart Poettering <lennart@poettering.net> 2022-10-12 09:56:32 +0200
committer: Lennart Poettering <lennart@poettering.net> 2023-01-17 09:42:16 +0100
commit: 94c0c85e302d00923dc5bbf9d1b937875f1d0c66 (patch)
tree: 9330d12bd3e2ff4c6ee98cbbb2cbb802f98326bd /src/fundamental/tpm-pcr.h
parent: 9885c8745d313588350325e8e2110887bf78c442 (diff)
download: systemd-94c0c85e302d00923dc5bbf9d1b937875f1d0c66.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/src/fundamental/tpm-pcr.h b/src/fundamental/tpm-pcr.h
index d57291328d..e12b4ff607 100644
--- a/src/fundamental/tpm-pcr.h
+++ b/src/fundamental/tpm-pcr.h
@@ -17,6 +17,9 @@
 /* This TPM PCR is where we extend the initrd sysext images into which we pass to the booted kernel */
 #define TPM_PCR_INDEX_INITRD_SYSEXTS 13U
 
+/* This TPM PCR is where we measure the root fs volume key (and maybe /var/'s) if it is split off */
+#define TPM_PCR_INDEX_VOLUME_KEY 15U
+
 /* List of PE sections that have special meaning for us in unified kernels. This is the canonical order in
  * which we measure the sections into TPM PCR 11 (see above). PLEASE DO NOT REORDER! */
 typedef enum UnifiedSection {
author	Lennart Poettering <lennart@poettering.net>	2022-10-12 09:56:32 +0200
committer	Lennart Poettering <lennart@poettering.net>	2023-01-17 09:42:16 +0100
commit	94c0c85e302d00923dc5bbf9d1b937875f1d0c66 (patch)
tree	9330d12bd3e2ff4c6ee98cbbb2cbb802f98326bd /src/fundamental/tpm-pcr.h
parent	9885c8745d313588350325e8e2110887bf78c442 (diff)
download	systemd-94c0c85e302d00923dc5bbf9d1b937875f1d0c66.tar.gz