Re: [systemd-devel] systemd-pcrlock silently ignores user requested PCRs downgrading security

On Fr, 09.05.25 15:58, Andrei Borzenkov (arvidj...@gmail.com) wrote: > > > The current behavior looks more like the case for auto-detection - check > > > what existing measurements are covered by predictions and incorporate > > > those > > > PCRs. I.e. when no explicit --pcr= option is present. >

Re: [systemd-devel] systemd-pcrlock silently ignores user requested PCRs downgrading security

On 2025-05-09 13:03, Lennart Poettering wrote: On Fr, 09.05.25 15:58, Andrei Borzenkov (arvidj...@gmail.com) wrote: > If you want explicit config use the simpler PCR protections > systemd-cryptsetup gives you, and avoid pcrlock. I obviously want to use pcrlock to have alternatives (like being

Re: [systemd-devel] systemd-pcrlock silently ignores user requested PCRs downgrading security

On Fr, 09.05.25 15:36, Andrei Borzenkov (arvidj...@gmail.com) wrote: 61;8001;1c > I know that it is documented, but that leads to rather bad user experience. > User requests specific protection via --pcr= option, pcrlock decides to skip > (some of) them and binds unlocking to just a subset of PCRs

Re: [systemd-devel] systemd-pcrlock silently ignores user requested PCRs downgrading security

On 2025-05-09 12:36, Andrei Borzenkov wrote: I know that it is documented, but that leads to rather bad user experience. User requests specific protection via --pcr= option, pcrlock decides to skip (some of) them and binds unlocking to just a subset of PCRs pretending that the operation succeeded

Re: [systemd-devel] systemd-pcrlock silently ignores user requested PCRs downgrading security

09.05.2025 15:45, Lennart Poettering wrote: On Fr, 09.05.25 15:36, Andrei Borzenkov (arvidj...@gmail.com) wrote: 61;8001;1c I know that it is documented, but that leads to rather bad user experience. User requests specific protection via --pcr= option, pcrlock decides to skip (some of) them and

Re: [systemd-devel] Recommended way of running additional event handlers on coredumps?

On Fr, 09.05.25 09:31, Johannes Barthel (johannes.bart...@farming-revolution.com) wrote: > Hi, > > we're using an Ubuntu setup where systemd-coredump is set up as the coredump > handler. This is fine, coredumps end up in /var/lib/systemd/coredump/. We > would however like to additionally run ou

[systemd-devel] systemd-pcrlock silently ignores user requested PCRs downgrading security

I know that it is documented, but that leads to rather bad user experience. User requests specific protection via --pcr= option, pcrlock decides to skip (some of) them and binds unlocking to just a subset of PCRs pretending that the operation succeeded. At this point user believes that the syst

Re: [systemd-devel] Recommended way of running additional event handlers on coredumps?

On Fri, 9 May 2025 at 11:45, Johannes Barthel wrote: > > Hi, > > we're using an Ubuntu setup where systemd-coredump is set up as the coredump > handler. This is fine, coredumps end up in /var/lib/systemd/coredump/. We > would however like to additionally run our own event handler (for remote >

Re: [systemd-devel] Recommended way of running additional event handlers on coredumps?

This may not be correct but have you tried to override the systemd-coredump@.service to add an ExecStartPost=your_script_here ? If I understand correctly, the socket activates the service which is the one to do the dumping itself, so maybe that or a PRE would work for you? Hope it helps, as seems

[systemd-devel] Recommended way of running additional event handlers on coredumps?

Hi, we're using an Ubuntu setup where systemd-coredump is set up as the coredump handler. This is fine, coredumps end up in /var/lib/systemd/coredump/. We would however like to additionally run our own event handler (for remote error reporting) in case of a process dumping core. Does systemd-c