Closed lcp closed 10 months ago
Does this change the tpm2 policy template? Does grub2 provides a mechanism to adjust the template? IIRC there is no what in systemd (and this can break https://github.com/okirch/pcr-oracle/pull/31)
Does this change the tpm2 policy template?
Yes, the RSA bits field in the template will be changed.
Does grub2 provides a mechanism to adjust the template?
My V6 patchset adds more SRK types by parsing the -a
parameter for tpm2_key_protector_init
.
https://lists.gnu.org/archive/html/grub-devel/2023-10/msg00026.html
IIRC there is no what in systemd (and this can break #31)
Hmmm, I'll check #31 and see if we can work out a compatible way.
It seems that the systemd token doesn't provide a field to change the RSA key size of SRK. Anyway, RSA2048 is still the default and we can document that changing RSA key size of SRK is not supported by systemd for the time being.
For the users require the better security settings, a RSA key size larger than 2048 bits may be desired. To support the more RSA key size, '--rsa-bits' is introduced to specify the key size. An additional subcommand, rsa-test, is also added to allow the user to check the supported RSA key sizes in the TPM chip.