-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-10.0
-
None
-
No
-
None
-
1
-
rhel-bootloader
-
8
-
False
-
False
-
-
None
-
Bootloader Sprint 2025.4
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
-
x86_64
-
None
What were you trying to do that didn't work?
GRUB measures its entire config that it reads in PCR 8. It also measures the config generated as part of the BLS config support.
The configuration includes UUIDs that are local to the system and the generated config from the BLS config also varies on each update.
Thus the PCR 8 value is difficult to predict in advance.
What is the impact of this issue to you?
Predicting the PCR 8 value is difficult to predict in advance, making remote attestation difficult.
Please provide the package NVR for which the bug is seen:
I have not tried on RHEL 10.0 again but the last time I tried was in Fedora 41 or 42.
How reproducible is this bug?:
Always.
Steps to reproduce
- Setup a system with a GRUB config using BLS configs and boot it
- Look at the elements measured in the PCR 8
Expected results
No config is measured in PCR 8 or a predictable config is measured.
Actual results
The entire GRUB config is measured in PCR 8.
- is related to
-
COS-2073 Confidential Computing: composefs-rs integration in bootc
-
- In Progress
-
