[tboot-devel] booting tboot directly as EFI STUB?
Hello, is it possible to add support for loading tboot directly instead of using GRUB, in the same way Linux kernel supports it? https://www.kernel.org/doc/Documentation/efi-stub.txt This would greatly simplify the setup of tboot and remove one unnecessary component (grub) which presents a quite large attack surface. This way tboot would get measured by BIOS directly into CRTM, and we could immediately follow DRTM from here... And I could maybe sign the tboot binary for Secure Boot instead of using poorly-documented GRUB :-) Thanks Jan -- Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z ___ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
Re: [tboot-devel] booting tboot directly as EFI STUB?
Hi Jan, Thanks for your email, currently tboot works with grub on both UEFI and legacy platforms. Meanwhile, we are working on a PoC of UEFI 64 bit tboot, which will support multiple usages including what you mentioned in your email. As this work is non-trivial, any suggestions/proposals are welcome! Thanks, -Ning -Original Message- From: Jan Schermer [mailto:j...@schermer.cz] Sent: Monday, April 18, 2016 4:59 AM To: tboot-devel@lists.sourceforge.net Subject: [tboot-devel] booting tboot directly as EFI STUB? Hello, is it possible to add support for loading tboot directly instead of using GRUB, in the same way Linux kernel supports it? https://www.kernel.org/doc/Documentation/efi-stub.txt This would greatly simplify the setup of tboot and remove one unnecessary component (grub) which presents a quite large attack surface. This way tboot would get measured by BIOS directly into CRTM, and we could immediately follow DRTM from here... And I could maybe sign the tboot binary for Secure Boot instead of using poorly-documented GRUB :-) Thanks Jan -- Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z ___ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel -- Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z ___ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
Re: [tboot-devel] booting tboot directly as EFI STUB?
Thank you for your reply.
I am new to tboot, now in the process of designing our own PoC around it.
I am also only a user (sorry for invading your -devel list) but so far I can
point to those areas for improvement from my perspective:
1) documentation
- examples! (gentoo wiki is a prime example of how it can organically
work, not sure if tboot community is large enough and NDA-less for it to work,
though).
- some better docs for policy tools!
For example
man page of lcp_crtpolelt:
[--ctrl pol-elt-ctr1] PolEltControl field (hex or decimal)
Now try googling "PolEltControl" :) or perhaps I'm not supposed to care about
that? :)
(other tools have --ctrl parameter as well, and I have no idea about those
either)
Also, this seems to be a common theme to things TCG-related, like TPM. I
actually have to revert to ordering real books from Amazon to get any
real-world information it seems.
Or for example better introduction to tboot's own policy (what it does, how it
relates to LCP, when it is useful and when not - I confess that I'm confused)
There's more, but I'm still learning so I'll ask after reading the TCG specs
and other docs again in case if missed something.
2) Some utility to decode the SINIT error codes (since you're from Intel... :)
I tried decoding them but my sinit is ancient, and the error codes are not
listed for it anywhere
3) Better error reporting
Took me a while before I found out I don't have the necessary NVRAM indexes,
the error message was not helpful.
This was because I tried copy&pasting an example that ommited creating those
areas, now it feels natural once I figured (almost) how some things work, but
for someone new this might be an unnecessary obstacle. I guess it comes back to
documentation...
Btw I am looking for a consultant ($, but not big $$$ for now :), preferably
someone with knowledge about TPM, TXT (or any form of measured/verified/trusted
launch), and possibly SED drives. It's a sad reality that everyone around me
never used UEFI apart from reinstalling Windows on a gf's laptop, and TPM is
synonymous with "smartcard"...
My goal is to have the OS installed on SED drives that get decrypted by a key
sealed by TPM to specific PCRs (attesting that my vmlinuz/initramfs are
running) to prevent copying the installation and tampering ("integrity" comes
by "proof of decryption" in my current scenario). Sounds simple in theory but I
get stopped by me not having the knowledge, nobody around me having the
knowledge and google refusing to find the knowledge. Also, all vendors are
surprisingly clueless about any of this(?!) and all focus seems to be on
workstations.
Is there someone who might be able to help me on this?
Thanks
Jan
> On 18 Apr 2016, at 18:31, Sun, Ning wrote:
>
> Hi Jan,
>
> Thanks for your email, currently tboot works with grub on both UEFI and
> legacy platforms.
> Meanwhile, we are working on a PoC of UEFI 64 bit tboot, which will support
> multiple usages including what you mentioned in your email.
> As this work is non-trivial, any suggestions/proposals are welcome!
>
> Thanks,
> -Ning
>
> -Original Message-
> From: Jan Schermer [mailto:j...@schermer.cz]
> Sent: Monday, April 18, 2016 4:59 AM
> To: tboot-devel@lists.sourceforge.net
> Subject: [tboot-devel] booting tboot directly as EFI STUB?
>
> Hello,
> is it possible to add support for loading tboot directly instead of using
> GRUB, in the same way Linux kernel supports it?
> https://www.kernel.org/doc/Documentation/efi-stub.txt
>
> This would greatly simplify the setup of tboot and remove one unnecessary
> component (grub) which presents a quite large attack surface.
>
> This way tboot would get measured by BIOS directly into CRTM, and we could
> immediately follow DRTM from here...
> And I could maybe sign the tboot binary for Secure Boot instead of using
> poorly-documented GRUB :-)
>
> Thanks
>
> Jan
>
>
>
> --
> Find and fix application performance issues faster with Applications Manager
> Applications Manager provides deep performance insights into multiple tiers
> of your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> ___
> tboot-devel mailing list
> tboot-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/tboot-devel
--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_
Re: [tboot-devel] booting tboot directly as EFI STUB?
On Apr 18, 8:55pm, Jan Schermer wrote:
} Subject: Re: [tboot-devel] booting tboot directly as EFI STUB?
Good afternoon, I hope this note finds the day going well for
everyone.
> > > -Original Message-
> > > From: Jan Schermer [mailto:j...@schermer.cz]
> > > Sent: Monday, April 18, 2016 4:59 AM
> > > To: tboot-devel@lists.sourceforge.net
> > > Subject: [tboot-devel] booting tboot directly as EFI STUB?
> > >
> > > Hello,
> > >
> > > is it possible to add support for loading tboot directly instead
> > > of using GRUB, in the same way Linux kernel supports it?
> > > https://www.kernel.org/doc/Documentation/efi-stub.txt
> > >
> > > This would greatly simplify the setup of tboot and remove one
> > > unnecessary component (grub) which presents a quite large attack
> > > surface.
> > >
> > > This way tboot would get measured by BIOS directly into CRTM,
> > > and we could immediately follow DRTM from here... And I could
> > > maybe sign the tboot binary for Secure Boot instead of using
> > > poorly-documented GRUB :-)
> >
> > On 18 Apr 2016, at 18:31, Sun, Ning wrote:
> >
> > Hi Jan,
> >
> > Thanks for your email, currently tboot works with grub on both
> > UEFI and legacy platforms. Meanwhile, we are working on a PoC of
> > UEFI 64 bit tboot, which will support multiple usages including
> > what you mentioned in your email. As this work is non-trivial,
> > any suggestions/proposals are welcome!
> >
> > Thanks,
> > -Ning
> >
> Thank you for your reply.
>
> I am new to tboot, now in the process of designing our own PoC
> around it.
>
> I am also only a user (sorry for invading your -devel list) but so
> far I can point to those areas for improvement from my perspective:
>
> 1) documentation
>
> - examples! (gentoo wiki is a prime example of how it can
> organically work, not sure if tboot community is large enough and
> NDA-less for it to work, though).
>
> - some better docs for policy tools!
> For example
> man page of lcp_crtpolelt:
> [--ctrl pol-elt-ctr1] PolEltControl field (hex or decimal)
>
> Now try googling "PolEltControl" :) or perhaps I'm not supposed to
> care about that? :) (other tools have --ctrl parameter as well, and
> I have no idea about those either)
>
> Also, this seems to be a common theme to things TCG-related, like
> TPM. I actually have to revert to ordering real books from Amazon to
> get any real-world information it seems.
>
> Or for example better introduction to tboot's own policy (what it
> does, how it relates to LCP, when it is useful and when not - I
> confess that I'm confused) There's more, but I'm still learning so
> I'll ask after reading the TCG specs and other docs again in case if
> missed something.
>
> 2)
>
> Some utility to decode the SINIT error codes (since you're from
> Intel... :) I tried decoding them but my sinit is ancient, and the
> error codes are not listed for it anywhere
>
> 3) Better error reporting
>
> Took me a while before I found out I don't have the necessary NVRAM
> indexes, the error message was not helpful. This was because I
> tried copy&pasting an example that ommited creating those areas, now
> it feels natural once I figured (almost) how some things work, but
> for someone new this might be an unnecessary obstacle. I guess it
> comes back to documentation...
>
> Btw I am looking for a consultant ($, but not big $$$ for now :),
> preferably someone with knowledge about TPM, TXT (or any form of
> measured/verified/trusted launch), and possibly SED drives. It's a sad
> reality that everyone around me never used UEFI apart from
> reinstalling Windows on a gf's laptop, and TPM is synonymous with
> "smartcard"...
>
> My goal is to have the OS installed on SED drives that get decrypted
> by a key sealed by TPM to specific PCRs (attesting that my
> vmlinuz/initramfs are running) to prevent copying the installation and
> tampering ("integrity" comes by "proof of decryption" in my current
> scenario). Sounds simple in theory but I get stopped by me not having
> the knowledge, nobody around me having the knowledge and google
> refusing to find the knowledge. Also, all vendors are surprisingly
> clueless about any of this(?!) and all focus seems to be on
> workstations.
>
> Is there someone who might be able to help me on this?
>
> Thanks
> Jan
TXT/tboot is a bit of a bodge right now. So much so that we have put
the question directly to Intel as to whether or not they are serious
about the platform.
Based on the description of what you are doing I suspect you haven't
even started to run into the bugs yet :-)(
We design and build high security assurance platforms directly on top
of TXT/tboot up to and including deterministic modeling of platform
behavior. You can find a link on the following page which points to a
presentation of ours which provides a good summary of the type of
engineering that we do:
http://kernsec.org/wiki/index.php/Linux_Security_Summit_2015/Schedule
We can provide whatever engineerin
