Introduction In user space Full Disk Encryption (FDE), as opposed to the boot loader based FDE, developers for openSUSE supported signed policy and NVIndex p...

OpenSUSE's platform is a resource for Linux enthusiasts and open-source software developers, offering insights into the OpenSUSE distribution, Linux desktop environments, and open-source community initiatives. Through articles, tutorials, and community forums, OpenSUSE offers insights into Linux system administration, software packaging, and desktop customization. Readers can learn about installing OpenSUSE, configuring Linux services, and contributing to open-source projects to enhance their Linux skills and engage with the OpenSUSE community.

openSUSE

openSUSE's next version of sdbootutil will drop pcr-oracle in favor of systemd-pcrlock for user space Full Disk Encryption. The signed policy approach used by pcr-oracle is vulnerable to rollback attacks and requires ongoing maintenance for multiple bootloaders (GRUB2 and systemd-boot). The NVIndex policy via systemd-pcrlock stores the policy in TPM2 non-volatile RAM, mitigating rollback attacks. Migration is straightforward for TPM2 devices produced after 2016 using two sdbootutil commands. Older TPM2 devices without policyAuthorizeNV support must fall back to password enrollment.

Dropping pcr-oracle in user space Full Disk Encryption