diff options
| author | Lennart Poettering <lennart@poettering.net> | 2022-10-12 09:56:32 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2023-01-17 09:42:16 +0100 |
| commit | 94c0c85e302d00923dc5bbf9d1b937875f1d0c66 (patch) | |
| tree | 9330d12bd3e2ff4c6ee98cbbb2cbb802f98326bd /src/fundamental | |
| parent | 9885c8745d313588350325e8e2110887bf78c442 (diff) | |
| download | systemd-94c0c85e302d00923dc5bbf9d1b937875f1d0c66.tar.gz | |
cryptsetup: add tpm2-measure-pcr= and tpm2-measure-bank= crypttab options
These options allow measuring the volume key used for unlocking the
volume to a TPM2 PCR. This is ideally used for the volume key of the
root file system and can then be used to bind other resources to the
root file system volume in a secure way.
See: #24503
Diffstat (limited to 'src/fundamental')
| -rw-r--r-- | src/fundamental/tpm-pcr.h | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/fundamental/tpm-pcr.h b/src/fundamental/tpm-pcr.h index d57291328d..e12b4ff607 100644 --- a/src/fundamental/tpm-pcr.h +++ b/src/fundamental/tpm-pcr.h @@ -17,6 +17,9 @@ /* This TPM PCR is where we extend the initrd sysext images into which we pass to the booted kernel */ #define TPM_PCR_INDEX_INITRD_SYSEXTS 13U +/* This TPM PCR is where we measure the root fs volume key (and maybe /var/'s) if it is split off */ +#define TPM_PCR_INDEX_VOLUME_KEY 15U + /* List of PE sections that have special meaning for us in unified kernels. This is the canonical order in * which we measure the sections into TPM PCR 11 (see above). PLEASE DO NOT REORDER! */ typedef enum UnifiedSection { |