control: reassign -1 systemd Hi Matteo,
On Tue, Sep 03, 2024 at 10:23:41AM +0000, Settenvini, Matteo wrote: >Package: shim-signed >Version: 1.44~1+deb12u1+15.8-1~deb12u1 >Severity: important > >Dear Maintainer, > >after updating the shim-signed package to 1.44~1+deb12u1+15.8~deb12u1, >unlocking the LUKS drive automatically via the tpm as enrolled through >systemd-cryptenroll fails because the value of PCR 7 changes. > >This is problematic in our setup, because only the IT administrator >has the LUKS passphrase which can be used as a fallback unlock method. >Therefore, manual intervention for unlocking and re-enrolling the TPM >is needed. > >At least a NEWS entry should be displayed before the update, and >possibly a solution to automatically re-enroll after a successful unlock >via passphrase added (via systemd unit file? maybe a systemd wishlist >item? `keyctl update` to reseal?). > >In any case, a blind update causes a serious regression for us. We >understand this is intended behavior, but we should at least have >a way to know before applying the update. This sounds like a bug for the systemd folks to deal with, I'll be honest. Any changes in the boot chain (shim/grub/etc.) may cause PCR measurements to change, but we have no idea what might be depending on those measurements. Reassigning appropriately. -- Steve McIntyre, Cambridge, UK. st...@einval.com We don't need no education. We don't need no thought control.
