You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: usr/lib/tik/modules/post/15-encrypt
+3-3
Original file line number
Diff line number
Diff line change
@@ -107,13 +107,13 @@ configure_encryption() {
107
107
# If Default mode has been detected, configure PCR policy
108
108
if [ "${tik_encrypt_mode}" == 0 ]; then
109
109
# Explaining the chosen PCR list below
110
-
# - 0 - UEFI firmware, will require recovery key after firmware update
111
110
# - 4 - Bootloader and drivers, should never recovery key as bootloader should only be updated with new PCR measurements
112
111
# - 5 - GPT Partition table, should never require recovery key as partition layout shouldn't change
113
112
# - 7 - SecureBoot state, will require recovery key if SecureBoot is enabled/disabled
114
113
# - 9 - initrd - should never require recovery key as initrd should only be updated with new PCR measurements
115
-
echo "FDE_SEAL_PCR_LIST=0,4,5,7,9" | prun tee ${encrypt_dir}/mnt/etc/sysconfig/fde-tools
114
+
echo "FDE_SEAL_PCR_LIST=4,5,7,9" | prun tee ${encrypt_dir}/mnt/etc/sysconfig/fde-tools
116
115
# Explaining why the following PCRs were not used
116
+
# - 0 - UEFI firmware, will require recovery key after firmware update and is particularly painful to re-enrol
117
117
# - 1 - Not only changes with CPU/RAM/hardware changes, but also when UEFI config changes are made, which is too common to lockdown
118
118
# - 2 - Includes option ROMs on pluggable hardware, such as external GPUs. Attaching a GPU to your laptop shouldn't hinder booting.
119
119
# - 3 - Firmware from pluggable hardware. Attaching hardware to your laptop shouldn't hinder booting
@@ -178,7 +178,7 @@ add_recoveryKey() {
178
178
}
179
179
180
180
display_recoveryKey() {
181
-
local defaultmsg="This ${TIK_OS_NAME} system is encrypted and checks its own integrity on every boot\nIn the event of these integrity checks failing, you will need to use the Recovery Key provided below to enter this system\n\nLikely reasons for integrity checks failing include:\n\n• UEFI System Firmware updated\n• Secure Boot changed from enabled or disabled\n• Boot drive was moved to a different computer\n• Disk partitions were changed\n• Boot loader or initrd were altered unexpectedly\n\nIf you are unaware as to why the system is requesting the recovery key, this systems security may have been compromised\nThe best course of action may be to not unlock the disk until you can determine what changed to require the Recovery Key\n\nThis systems Recovery Key is:\n\n <b><big>${key}</big></b>\n\nPlease save this secret Recovery Key in a secure location\n\n"
181
+
local defaultmsg="This ${TIK_OS_NAME} system is encrypted and checks its own integrity on every boot\nIn the event of these integrity checks failing, you will need to use the Recovery Key provided below to enter this system\n\nLikely reasons for integrity checks failing include:\n\n• Secure Boot changed from enabled or disabled\n• Boot drive was moved to a different computer\n• Disk partitions were changed\n• Boot loader or initrd were altered unexpectedly\n\nIf you are unaware as to why the system is requesting the recovery key, this systems security may have been compromised\nThe best course of action may be to not unlock the disk until you can determine what changed to require the Recovery Key\n\nThis systems Recovery Key is:\n\n <b><big>${key}</big></b>\n\nPlease save this secret Recovery Key in a secure location\n\n"
182
182
local fallbackmsg="In addition to your Passphrase a Recovery Key has been generated:\n\n <b><big>${key}</big></b>\n\nPlease save this secret Recovery Key in a secure location\nIt may be used to regain access to this system if the other Passphrase becomes lost or forgotten\n\n"
0 commit comments