Gerd Hoffmann

option two shortcoming #1 -- seems to not be documented very well. Is there something more useful the object reference (which doesn't tell me how I can use it) ?...

> It seems to me the line being drawn here is extremely arbitrary, and doesn't make much sense to me. Why is there any practical difference between the first mount...

> How do you know there aren't other disks that get mounted, by something else other than systemd, stored in exactly the same way? That wouldn't happen out-of-the-blue. It'll be...

> Maybe we we should simply measure the GPT partition table when we use it? (doesn't uefi do that anyway somewhere?) that is sufficiently short and everything that gpt-auto discovery...

> btw, systemd nowadays picks ups credentials (i.e. this stuff: https://systemd.io/CREDENTIALS/) from smbios type 11. Should systemd measure them if we pick them up from there? I presume so? Good...

> I am more interested in the general case. i.e. qemu might measure this, but what about other hypervisors? And there apparently is interest supportng sbios type 11 in redfish,...

> efi variables that systemd reads (or are those measured anyway by firmware?) Not needed I think. In confidential VMs the initial state of the variable store is measured, and...

> Confidential VMs won't have persistent variable storage anyway. The OVMF builds are done such that variables are non-persistent / stateless. The initial state can be changed though. > Since...

You might want revert 9c79f0c5ddacc172bca8b1d86c384614672a5423 then. That wraps qemu into a 'timeout' call so in case it hangs for whatever reason it gets killed with SIGALARM and the cleanup functions...

> Do we know how this value `65k` is determined? are there other options that we might need to set? > > aka I wonder if we could add an...