This was not strictly true of something we demonstrated in 2017: the capability based, formally verified, open source, Syracuse Assured Boot Loader Executive (SABLE), which used the "late launch" Dynamic Root of Trust for Measurement (DRTM) instructions available on AMD and Intel x86 CPUs (skinit/senter) to decrypt an operating environment conditionally based on measurements of Trusted Computing Base (TCB) software modules extended into TPM Platform Configuration Registers (PCRs) matching values previously whitelisted by the system administrator. We were able to boot not only Ubuntu but also the formally verified seL4 microkernel. Upstream changes broke this. We have not had the resources both to maintain SABLE and patch the upstream changes, so SABLE has bit-rotted; when we obtain the necessary resources, we would really like again to be able to boot not only seL4 (our primary target) but also more popular kernels (primarily Linux where the distro that is our usual focus and tool is Ubuntu).
On 6/13/2024 8:40 AM, Julian Andres Klode wrote: > ... > Please note that encryption of /boot is security by obscurity: The data > is encrypted, but not authenticated so it is still subject to chosen > plaintext attacks, as is any encrypted data. You do not need obscurity > for public knowledge like kernel and initrd content, it's only valuable > for your personal private data. > > A secure chain needs to authenticate the initrd against a certificate. > For example, Ubuntu Desktop TPM FDE offers fully authenticated early > boot environments... -- Stuart W. Card, PhD: VP & Chief Scientist, Critical Technologies Inc. Superior Engineering Solutions for Trustworthy Networked Autonomy * Creativity * Diversity * Expertise * Flexibility * Integrity * Suite 400 Technology Center, 4th Floor 1001 Broad St, Utica NY 13501 315-793-0248 x141 FAX -9710 <stu.c...@critical.com> www.critical.com -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1062623 Title: enable grub-2.00 boot-from-luks support To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1062623/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs