This was not strictly true of something we demonstrated in 2017: the
capability based, formally verified, open source, Syracuse Assured Boot
Loader Executive (SABLE), which used the "late launch" Dynamic Root of
Trust for Measurement (DRTM) instructions available on AMD and Intel x86
CPUs (skinit/senter) to decrypt an operating environment conditionally
based on measurements of Trusted Computing Base (TCB) software modules
extended into TPM Platform Configuration Registers (PCRs) matching
values previously whitelisted by the system administrator. We were able
to boot not only Ubuntu but also the formally verified seL4 microkernel.
Upstream changes broke this. We have not had the resources both to
maintain SABLE and patch the upstream changes, so SABLE has bit-rotted;
when we obtain the necessary resources, we would really like again to be
able to boot not only seL4 (our primary target) but also more popular
kernels (primarily Linux where the distro that is our usual focus and
tool is Ubuntu).
On 6/13/2024 8:40 AM, Julian Andres Klode wrote:
> ...
> Please note that encryption of /boot is security by obscurity: The data
> is encrypted, but not authenticated so it is still subject to chosen
> plaintext attacks, as is any encrypted data. You do not need obscurity
> for public knowledge like kernel and initrd content, it's only valuable
> for your personal private data.
>
> A secure chain needs to authenticate the initrd against a certificate.
> For example, Ubuntu Desktop TPM FDE offers fully authenticated early
> boot environments...
--
Stuart W. Card, PhD: VP & Chief Scientist, Critical Technologies Inc.
Superior Engineering Solutions for Trustworthy Networked Autonomy
* Creativity * Diversity * Expertise * Flexibility * Integrity *
Suite 400 Technology Center, 4th Floor 1001 Broad St, Utica NY 13501
315-793-0248 x141 FAX -9710 www.critical.com
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1062623
Title:
enable grub-2.00 boot-from-luks support
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1062623/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs