Hello I have added new branch to TBOOT repository. This branch starts new TBOOT version family - 2.x that in the future will replace current 1.9. Right now both mainline versions are supported, however 1.9 is focused on stability and bugfixing, and new features will go to 2.x versions.
At this moment there are two features that are included in 2.x. TBOOT binary signing. As a result of building process, now there are two files generated: tboot.gz and tboot.mb2. First one is a standard gziped ELF file, second one is a PE binary with multiboot2 header. It can be signed with UEFI Secure Boot signing tools, like sbsign. The signature can be verified by GRUB2 when booted with UEFI Secure Boot and shim loader. That feature allows to expand Secure Boot verification chain up to TBOOT. tboot.mb2 still requires multiboot2 protocol and should be loaded in the same way as tboot.gz - by multiboot2 command in grub.cfg. Apart of that possibility to add signature, both tboot.gz and tboot.mb2 behave the same. Poly1305 replaces VMAC. TBOOT uses MAC algorithm to keep data integrity during S3 cycle. VMAC algorithm, that was in TBOOT till now, was the best choice at the time when TBOOT was created in therms of security vs. performance. Now it's time to replace it with a modern option and I have decided to choose Poly1305. I did performance testing and it reaches the same throughput as VMAC with better security. Thanks, Lukasz _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
