Hi, > > Sure. It's a first in the secure boot world and has the potential to > > break a bunch of stuff. Specifically I think with the boot signature > > chain changing some TPM PCR measurements will change too, so TPM being > > is used for LUKS disk encryption most likely is affected and will need > > some extra attention. > > Would it be the same root cause from when every so often Microsoft releases > a update related to Secure Boot and Windows users get thrown into the > BitLocker recovery asking for a key that many of them have no idea how to > get? (And they also can't use the Microsoft account backup because they > have no access)
Probably. Different things (certificates used, binaries loaded, ...) are measured to different PCRs though, so you can have different effects depending on what exactly has been updated. When binding keys to the TPM it is possible to define which PCRs are expected to have specific values. I don't know how bitlocker uses the TPM, so I can't go deeper into details here. It is also possible to (a) calculate the new PCR measurements beforehand, and (b) update the TPM policies, so in theory the update process should be able handle that without requiring users to reach for the recovery keys. But it's software, and bugs happen ... take care, Gerd -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
