Cole Johnson

Confirmed @zamirTo1 's fix works!

confirmed that a different PCR config actually fixes this. we needed to add in PCR4 `{"pcr_ids": "0,1,2,4"}` to safeguard against different changes in boot manager states. I think this is...

thanks @savchenko , after some more digging, it seems that {"pcr_ids": "0,1,8"} fit our use case better. ID's 5 and 7 didn't seem to be quite what we were looking...

@savchenko after using a machine for some time with the increased number of PCR ID's (in this case, either 0,1,8 or 0,1,4), I've found that both of these combinations can...

This occurs across several different Lenovo models (X1, P1) running Ubuntu 20.04 LTS with TPM 2.0 enabled with Clevis. CSM is disabled on these machines. We can reliably reproduce this...

If you set a GRUB2 password you are now prompted for a GRUB password at every bootup, which _yes_, resolves this vulnerability, but isn't a worthwhile solution since you are...

I've also looked at modifying the recovery menu root selection file to require a password, but I'm hesitant to rely on this never changing long-term, since Ubuntu/Linux could easily push...

@sergio-correia 👋 if we wanted to look at contributing to clevis in order to disable it from auto-unlocking volumes during recovery boot, can you point us in the right direction?...

@dannf, thanks for your thoughts. While I understand your perspective for a single-user use-case of Clevis, I think larger organizations are always going to want the benefit of storing keys...

Just to be sure, I went back and tried extending PCR ID's 13, 14, and 12, both in combinations and by themselves (in addition to the other minimal PCR ID's...