Trusted Boot #41
Comments
|
Do we need more than a good root of trust as to the state of the ROM bootblock and the payload that we're going to launch? The changes that I've made to coreboot (osresearch/coreboot@033623b and others) are fairly minimal and allow most of the policy to be set in the Linux payload instead. |
|
Normally yes. If you measure also blobs which are executed parts of the sb and cpu via intel txt then you get a better sealing for more hardware parts. So the attacker can't change for example cpu and sb. I want to make tpm spec for the measurements and do the integration into coreboot. TCPA ACPI log is also very useful if you want to pre-calculate changes after updates etc.. |
|
Timothy Pearson is also needing this for his TALOS workstation stuff. See https://www.crowdsupply.com/raptor-computing-systems/talos-secure-workstation |
|
@zaolin more criticisms around coreboot/coreboot@c79e96b ? |
Hey,
in order to get the maximum sealing against the platform it would be useful to have a well documented and feature complete trusted boot in coreboot. I started to refactor the tpm stack and implement the missing features. Take a look at https://review.coreboot.org/#/q/status:open+tpm
The text was updated successfully, but these errors were encountered: