Determine decryption requirements #40
Description
We need to decide on the criteria for unlocking local storage. The encryption key is currently bound to the static PCR 7 value combined with a valid signature for PCR 11. PCR 7 changes whenever any secure boot settings are changed (adding/removing keys, disabling/enabling secure boot, etc.). Mangos' UKI's contain the expected PCR 11 values signed by our key, so its validity indicates that we've booted one of our kernels.
We also have the option of binding the encryption key to the network. This would prevent an attacker from being able to steal a Mangos system and boot it outside of its expected infrastructure. On the flip side, if the system happens to restart while it's disconnected, it won't be able to boot, so there's a security / resilience trade-off.