Hi Benjamin, thank you very much for your detailed reply! Its much clearer now to me what the purposes of tboot and TrustedGRUB are. :)
I would have one follow up question, though. Can tboot only work with PCR 17 and above, or can the lower, static ones be hashed to as well? Many thanks, Thomas On 08/19/2014 04:35 PM, Benjamin Block wrote: > Hej Thomas, > > On 15:52 Tue 19 Aug , Thomas Strobel wrote: >> Hi! >> >> I'm new to tboot (and to tboot-devel), and I would have a question. >> >> I don't know if it's common on this mailing list, but before I ask, a >> few words about myself. >> I'm a PhD student in physics, and a long time Linux user. I came across >> tboot during my attempt to turn a NixOS based laptop into a trusted boot >> platform. >> >> I wanted to ask if tboot can be used with the gummiboot boot manager? Is >> that possible, and if so, could someone provide me with an example or >> some hints? >> So far I've only read about tboot's integration with GRUB. >> > Afaik tboot has no efi-stub, so it won't work with gummiboot. Tboot > wants to be loaded by a multiboot-compatible bootloader - which in turn > can be located in EFI-Space (grub2 can be in efi-mode an load tboot with > multiboot2) > >> Also, what are the intersections between tboot and TrustedGRUB? I'm just >> trying to understand what to use tboot for, and when to revert to >> TrustedGRUB. >> > TrustedGRUB and tBoot are different in that the first uses the static > chain of trust and the second the dynamic (for which it needs the intel > TXT-extension additionally to TPM, which is also required for the first) > - both are ways specified by the TCG for a trusted platform. > > Dynamic trust has some advantages over the static, because you have more > control over what you want to measure and what defines "trust" for you. > Static Trust is mostly defined by your bios vendor and can be fragile > depending on what the bios decides to measure and what not (there is no > standard for that to my knowledge). Note, that you still can measure the > bios with the dynamic chain. (If that tells you nothing, you may want to > read about TPM first ;) ) > > I'd say, if your Hardware has TXT, try tboot first. The TrustedGRUB > project also seems to have stalled since late of 2010, which I would be > cautious of. > > -- > BOFH Excuse #308: > CD-ROM server needs recalibration > -- > best regards, > - Benjamin Block ------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
