joel/archinstall-luks2-lvm2-secureboot-tpm2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update README with TPM security recommendations

Browse Source 
Add warning about sealing the TPM against raw PCR values
This commit is contained in:
Joel Mathew Thomas
2026-02-26 02:16:38 +05:30
committed by GitHub
parent 6a5c3b6a9b
commit 3525b9c25d
1 changed files with 1 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+1
View File
@@ -613,6 +613,7 @@ $ sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 --tpm2-public-key
> [!WARNING] > [!WARNING]
> It is recommended to use a pin to unlock the TPM, instead of allowing it to unlock automatically, for more security. > It is recommended to use a pin to unlock the TPM, instead of allowing it to unlock automatically, for more security.
> Use `--tpm2-with-pin=no` **only** if you are comfortable with TPM unlocking without user interaction (this is the default behavior). > Use `--tpm2-with-pin=no` **only** if you are comfortable with TPM unlocking without user interaction (this is the default behavior).
> Do not use `--tpm2-pcrs=11` here. This option seals the LUKS key to the current raw PCR value and will break after kernel or initramfs updates.
``` ```
Additional Flags Additional Flags