Trusted-computing September 2011

trusted-computing@lists.fedorahosted.org

4 participants
3 discussions

by Li, David

I know the spec (TCG EFI Platform Spec v1.2) doesn't explicitly mention what to do in a PXEBoot regarding kernel image TPM measurement. Sounds like this should fall into the general category of kernel measurement into PCR4 and 5. Now in my case, this is a gray area in reality. Typically PXEboot is handed by the PXE ROM in a NIC card and not by the motherboard BIOS. What if the main BIOS does its job but has to stop at the PXE ROM while the PXE ROM doesn't measure the loader and kernel image at all? In other words, if my chain of trust stops (or breaks) at the PXE ROM, is there any other way to solve this problem? Thanks. --- David Li Cloudshield Technologies SAIC

12 years, 6 months

3
9
0 / 0

Re: [Trusted-computing] A Question on EK

by Kenneth Goldman

> ----- Message from "Li, David" <LiD(a)cloudshield.com> on Thu, 8 Sep > 2011 17:15:40 -0700 ----- > > [Trusted-computing] A Question on EK > > We are supposed to trust the CA that issues the EK certificate. The > chain of trust from this point on allows creation of other keys for > signing and storage. But what if we are not sure if the CA for the > EK is 100% trustable given that the TPM vendor is not totally > trustable? Is there any way to trust all the latter key creations? > > The spec says users can create their own EK and use their own CA to > certify it. Can this approach solve the above problem? In my opinion, if you can't trust the TPM hardware (or software in a virtual TPM), the game is over. Some TPMs might allow external creation of an EK, but it's vendor specific. Others may allow you to run a command and have the TPM generate an EK. However, you don't gain any security by putting a very strong key into weak hardware. Similarly, it doesn't help to certify a weak key with a strong CA.

12 years, 7 months

1
0
0 / 0

A Question on EK

by Li, David

Hi, We are supposed to trust the CA that issues the EK certificate. The chain of trust from this point on allows creation of other keys for signing and storage. But what if we are not sure if the CA for the EK is 100% trustable given that the TPM vendor is not totally trustable? Is there any way to trust all the latter key creations? The spec says users can create their own EK and use their own CA to certify it. Can this approach solve the above problem? Thanks. --- David Li Cloudshield Technologies SAIC

12 years, 7 months

1
0
0 / 0

← Newer
1
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

Trusted-computing September 2011