Trusted Boot in Fedora
Jon Ciesla
limb at jcomserv.net
Wed Jun 22 19:01:18 UTC 2011
> http://fedoraproject.org/wiki/Features/Trusted_Boot is a proposed
> feature for F16. We've traditionally had a hard objection to the
> functionality because it required either the distribution or downloading
> of binary code that ran on the host CPU, but it seems that there'll
> shortly be systems that incorporate the appropriate sinit blob in their
> BIOS, which is a boundary we've traditionally been fine with.
>
> However, this is the kind of feature that has a pretty significant
> impact on the distribution as a whole. Fesco decided that we should
> probably have a broader discussion about the topic. The most obvious
> issues are finding a sensible way to incorporate this into Anaconda, but
> it's also then necessary to make sure that bootloader configuration is
> updated appropriately.
>
> Outside that, is there any other impact? Does tboot perform any
> verification of the kernels, and if so how is that configured? Is the
> expectation that an install configured with TXT will only boot trusted
> kernels, and if so what mechanism is used to verify the kernel? Is there
> any further integration work that has to be performed for this to be
> useful?
If so, is there a mechanism to disable that functionality, or mark a
kernel as trusted, so that I could, for example, run a kernel I built
myself or one from another RPM?
-J
> --
> Matthew Garrett | mjg59 at srcf.ucam.org
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
>
--
in your fear, seek only peace
in your fear, seek only love
-d. bowie
More information about the devel
mailing list