On 02/04/2017, Todd Weaver <t...@puri.sm> wrote: > On 04/01/2017 04:55 PM, Trammell Hudson wrote: >> On Sat, Apr 01, 2017 at 07:43:40PM +0000, ron minnich wrote: >>> For a payload chooser and such I can offer two options: >>> 1) petitboot has a boot menu type thing >>> 2) u-root (u-root.tk) is going to have a boot menu type thing, as we've >>> been asked to do one. >> Heads is coming along in usability and has a strong focus on securing >> the boot process through TPM measurement and using the flash security >> features. > > One of the three reasons we are including TPM in hardware is because of > your great talk at 33c3 on Heads! But I failed to see that it offered > "boot menu type thing" > >> It fits the 4.9.20 Linux kernel + initrd into 4 MB, including >> all of the crypto, networking and other features. The eventual user >> kernel (or Xen hypervisor and dom0 kernel) are GPG verified and invoked >> via >> kexec for a slightly more secure, legacy free boot process. > > So this is referring more about "linux payload" than "boot menu type > thing" correct? [...] > > What we are looking at is to include or develop a solution that > accomplishes these goals: > 1) allows us to skip most of vbios (but sounds like still needs the VBT) > 2) deliver a payload that has a path toward securing the boot process > (e.g. Heads) > 3) deliver a payload that can still offer a user to install their own OS > (thus allowing user-configuration and control)
Presumably petitboot, u-root, or another "boot menu type thing" could be included in Heads? This would seem to be the best outcome.* Whether that would still fit into 4MB is another matter, but it seems worth a try. Even 8MB or 12MB would make it usable on some existing motherboards without the need to desolder anything. I look forward to seeing what emerges from your (hopeful) collaboration! * Formal verification of all this would be even better, but that's probably several years in the future :) -- coreboot mailing list: coreboot@coreboot.org https://www.coreboot.org/mailman/listinfo/coreboot