Hi all,
This is a patch to support Trusted Boot using a security chip on PC
platform.
Recently, a number of PC platforms support security chip
(TPM, Trusted Platform Module). For more detail about this security
technology, the specifications and documentation are available from
TCG (Trusted Computing Group) site:
https://www.trustedcomputinggroup.org/downloads/specifications/pcclient/pcclient
TPM chip supports unique security capabilities, RTM (Root of Trust
for Measurement) and RTR (Root of Trust for Reporting).
It protect an integrity of the platform and we will be able to detect
unexpected modification against the software components.
Transitive Trust is a new concept and achieved by special boot
sequence from initial boot code through the run-time environment.
The BIOS has been support this capability. Starting from the initial
boot code, The MBR (stage1) has been measured by BIOS.
IBM colleagues submitted the IBM Integrity Measurement
Architecture (IMA) to LKML (e.g. http://lkml.org/lkml/2005/5/20/59),
This is a kernel extension to support the integrity measurement of the
user space executable. However the security requirement is this Linux
kernel must be measured by its bootloader, otherwise integrity
information does not bind with hardware-based root of trust and not
fully protected by TPM. Thus we made this patch.
To build the Transitive Trust, each stage are first measured before
execution control is transferred basically, The measurement
operation flow for grub legacy is as follows.
0) BIOS measures stage1
1) stag 1 measures 1st. sector of stage1.5 and jump to stage 1.5
2) 1st. sector of stage1.5 measures rest of stage 1.5
3) stage1.5 measures stage2
4) stage2 measures grub.conf
5) stage2 measures kernel and module images.
6) stage2 boots measured operating system
To get the space in stage1(MBR), we eliminate the CHS support.:-(
This work was done for grub legacy. I'm trying to learn the Grub 2.
I think Grub 2 will be able to support TCG in a similar way.
I will propose the TCG patch for grub 2 later.
Thanks,
Signed-off-by: Seiji Munetoh <[EMAIL PROTECTED]>
grub-0.97-tcg.patch.gz
Description: Binary data
_______________________________________________ Bug-grub mailing list Bug-grub@gnu.org http://lists.gnu.org/mailman/listinfo/bug-grub