Trusted Boot in Fedora

Matthew Garrett mjg59 at srcf.ucam.org
Wed Jun 22 19:02:44 UTC 2011


http://fedoraproject.org/wiki/Features/Trusted_Boot is a proposed 
feature for F16. We've traditionally had a hard objection to the 
functionality because it required either the distribution or downloading 
of binary code that ran on the host CPU, but it seems that there'll 
shortly be systems that incorporate the appropriate sinit blob in their 
BIOS, which is a boundary we've traditionally been fine with.

However, this is the kind of feature that has a pretty significant 
impact on the distribution as a whole. Fesco decided that we should 
probably have a broader discussion about the topic. The most obvious 
issues are finding a sensible way to incorporate this into Anaconda, but 
it's also then necessary to make sure that bootloader configuration is 
updated appropriately.

Outside that, is there any other impact? Does tboot perform any 
verification of the kernels, and if so how is that configured? Is the 
expectation that an install configured with TXT will only boot trusted 
kernels, and if so what mechanism is used to verify the kernel? Is there 
any further integration work that has to be performed for this to be 
useful?

-- 
Matthew Garrett | mjg59 at srcf.ucam.org


More information about the devel mailing list