On Apr 18, 8:55pm, Jan Schermer wrote: } Subject: Re: [tboot-devel] booting tboot directly as EFI STUB?
Good afternoon, I hope this note finds the day going well for everyone. > > > -----Original Message----- > > > From: Jan Schermer [mailto:j...@schermer.cz] > > > Sent: Monday, April 18, 2016 4:59 AM > > > To: tboot-devel@lists.sourceforge.net > > > Subject: [tboot-devel] booting tboot directly as EFI STUB? > > > > > > Hello, > > > > > > is it possible to add support for loading tboot directly instead > > > of using GRUB, in the same way Linux kernel supports it? > > > https://www.kernel.org/doc/Documentation/efi-stub.txt > > > > > > This would greatly simplify the setup of tboot and remove one > > > unnecessary component (grub) which presents a quite large attack > > > surface. > > > > > > This way tboot would get measured by BIOS directly into CRTM, > > > and we could immediately follow DRTM from here... And I could > > > maybe sign the tboot binary for Secure Boot instead of using > > > poorly-documented GRUB :-) > > > > On 18 Apr 2016, at 18:31, Sun, Ning <ning....@intel.com> wrote: > > > > Hi Jan, > > > > Thanks for your email, currently tboot works with grub on both > > UEFI and legacy platforms. Meanwhile, we are working on a PoC of > > UEFI 64 bit tboot, which will support multiple usages including > > what you mentioned in your email. As this work is non-trivial, > > any suggestions/proposals are welcome! > > > > Thanks, > > -Ning > > > Thank you for your reply. > > I am new to tboot, now in the process of designing our own PoC > around it. > > I am also only a user (sorry for invading your -devel list) but so > far I can point to those areas for improvement from my perspective: > > 1) documentation > > - examples! (gentoo wiki is a prime example of how it can > organically work, not sure if tboot community is large enough and > NDA-less for it to work, though). > > - some better docs for policy tools! > For example > man page of lcp_crtpolelt: > [--ctrl pol-elt-ctr1] PolEltControl field (hex or decimal) > > Now try googling "PolEltControl" :) or perhaps I'm not supposed to > care about that? :) (other tools have --ctrl parameter as well, and > I have no idea about those either) > > Also, this seems to be a common theme to things TCG-related, like > TPM. I actually have to revert to ordering real books from Amazon to > get any real-world information it seems. > > Or for example better introduction to tboot's own policy (what it > does, how it relates to LCP, when it is useful and when not - I > confess that I'm confused) There's more, but I'm still learning so > I'll ask after reading the TCG specs and other docs again in case if > missed something. > > 2) > > Some utility to decode the SINIT error codes (since you're from > Intel... :) I tried decoding them but my sinit is ancient, and the > error codes are not listed for it anywhere > > 3) Better error reporting > > Took me a while before I found out I don't have the necessary NVRAM > indexes, the error message was not helpful. This was because I > tried copy&pasting an example that ommited creating those areas, now > it feels natural once I figured (almost) how some things work, but > for someone new this might be an unnecessary obstacle. I guess it > comes back to documentation... > > Btw I am looking for a consultant ($, but not big $$$ for now :), > preferably someone with knowledge about TPM, TXT (or any form of > measured/verified/trusted launch), and possibly SED drives. It's a sad > reality that everyone around me never used UEFI apart from > reinstalling Windows on a gf's laptop, and TPM is synonymous with > "smartcard"... > > My goal is to have the OS installed on SED drives that get decrypted > by a key sealed by TPM to specific PCRs (attesting that my > vmlinuz/initramfs are running) to prevent copying the installation and > tampering ("integrity" comes by "proof of decryption" in my current > scenario). Sounds simple in theory but I get stopped by me not having > the knowledge, nobody around me having the knowledge and google > refusing to find the knowledge. Also, all vendors are surprisingly > clueless about any of this(?!) and all focus seems to be on > workstations. > > Is there someone who might be able to help me on this? > > Thanks > Jan TXT/tboot is a bit of a bodge right now. So much so that we have put the question directly to Intel as to whether or not they are serious about the platform. Based on the description of what you are doing I suspect you haven't even started to run into the bugs yet.... :-)( We design and build high security assurance platforms directly on top of TXT/tboot up to and including deterministic modeling of platform behavior. You can find a link on the following page which points to a presentation of ours which provides a good summary of the type of engineering that we do: http://kernsec.org/wiki/index.php/Linux_Security_Summit_2015/Schedule We can provide whatever engineering your project would need if it would make mutual sense. We will follow up under separate cover. Have a good evening. Greg }-- End of excerpt from Jan Schermer As always, Dr. Greg Wettstein, Ph.D, Worker IDfusion, LLC 4206 N. 19th Ave. Implementing measured information privacy Fargo, ND 58102 and integrity architectures. ------------------------------------------------------------------------------ "Umm.. the developers behind Flame were able to hijack Windows update, gain access to a Microsoft code signing and website signing key while staying undetected in the wild for at least 2+ years. But System Restore 2.0 is going to stop them? Your average piece of malware can survive a system restore..." -- Slashdot -- ------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
