Re: [tboot-devel] Tboot and gummiboot

Tue, 19 Aug 2014 07:36:58 -0700 

Hej Thomas,

On 15:52 Tue 19 Aug     , Thomas Strobel wrote:
> Hi!
>
> I'm new to tboot (and to tboot-devel), and I would have a question.
>
> I don't know if it's common on this mailing list, but before I ask, a
> few words about myself.
> I'm a PhD student in physics, and a long time Linux user. I came across
> tboot during my attempt to turn a NixOS based laptop into a trusted boot
> platform.
>
> I wanted to ask if tboot can be used with the gummiboot boot manager? Is
> that possible, and if so, could someone provide me with an example or
> some hints?
> So far I've only read about tboot's integration with GRUB.
>

Afaik tboot has no efi-stub, so it won't work with gummiboot. Tboot
wants to be loaded by a multiboot-compatible bootloader - which in turn
can be located in EFI-Space (grub2 can be in efi-mode an load tboot with
multiboot2)

>
> Also, what are the intersections between tboot and TrustedGRUB? I'm just
> trying to understand what to use tboot for, and when to revert to
> TrustedGRUB.
>

TrustedGRUB and tBoot are different in that the first uses the static
chain of trust and the second the dynamic (for which it needs the intel
TXT-extension additionally to TPM, which is also required for the first)
- both are ways specified by the TCG for a trusted platform.

Dynamic trust has some advantages over the static, because you have more
control over what you want to measure and what defines "trust" for you.
Static Trust is mostly defined by your bios vendor and can be fragile
depending on what the bios decides to measure and what not (there is no
standard for that to my knowledge). Note, that you still can measure the
bios with the dynamic chain. (If that tells you nothing, you may want to
read about TPM first ;) )

I'd say, if your Hardware has TXT, try tboot first. The TrustedGRUB
project also seems to have stalled since late of 2010, which I would be
cautious of.

--
BOFH Excuse #308:
CD-ROM server needs recalibration
--
                                                          best regards,
                                                            - Benjamin Block

Attachment: signature.asc
Description: Digital signature

------------------------------------------------------------------------------

_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel

Reply via email to