Trusted Boot in Fedora
Miloslav Trmač
mitr at volny.cz
Fri Jun 24 09:15:21 UTC 2011
On Fri, Jun 24, 2011 at 11:01 AM, Camilo Mesias <camilo at mesias.co.uk> wrote:
> I don't know
> how a networked system using the technology could be differentiated
> from an (insecure) software simulation of the same from a remote
> viewer's perspective.
The attestation is signed by a key that cannot be extracted from the TPM.
> Also I don't see how it would be used in the
> world of servers where virtualisation is the way the world is going.
I suppose one would have to first authenticate the hypervisor, and
then rely on it to help authenticate the guests.
> I
> can imagine some limited application in an appliance, but only if the
> system was end-to-end secured, with a trusted kernel that only runs
> signed binaries and those binaries only running signed plugins, for
> example to play content locked material. While that is something that
> could feasibly be built with open source software, it's not something
> I imagine most users would be interested in.
An oVirt node (a tiny-footprint hypervisor appliance) fits this
description exactly.
Mirek
More information about the devel
mailing list