Trusted-computing

trusted-computing@lists.fedorahosted.org

12 discussions

【回】火车上妈鲁朔缙评耍被民工迷昏叱咤风云
by ki279696 ki279696 11 Dec '21

11 Dec '21

火车上妈妈被民工迷昏 --》点击后面地址进入看午@夜大片: http://khaiqz953.aa345.cc/#fedoraproject1211 --》点击后面地址进入看午@夜视频: http://khaiqz953.aa345.cc/#fedoraproject1211 火车上妈妈被民工迷昏二十年后的今天，不但路修好了，而且交通工具也有了很大的变化，原来的拖拉机换成了小轿车，家家装了电话，如果家里有了病人，只需要拨打120急救电话，几分钟救护车就会赶到，村里人再也不会因为道路和交通工具而留下遗憾。而牵挂，在这块处女地上的原住民，自然应在这长久地住下去。人们不要天天用高科技来释放自己的牵挂，那样的牵挂不是牵挂而是习惯，相信长此以往，人们便不会再有“近乡情更怯，不敢问来人”的感觉，那是多么可怕！【回】火车上妈鲁朔缙评耍被民工迷昏叱咤风云如果你是鱼儿就不要渴望寥廓的蓝天，因为你有你蔚蓝的大海；火车上妈妈被民工迷昏

1 0

TPM measurement during a PXEboot
by Li, David 13 Oct '11

13 Oct '11

I know the spec (TCG EFI Platform Spec v1.2) doesn't explicitly mention what to do in a PXEBoot regarding kernel image TPM measurement. Sounds like this should fall into the general category of kernel measurement into PCR4 and 5. Now in my case, this is a gray area in reality. Typically PXEboot is handed by the PXE ROM in a NIC card and not by the motherboard BIOS. What if the main BIOS does its job but has to stop at the PXE ROM while the PXE ROM doesn't measure the loader and kernel image at all? In other words, if my chain of trust stops (or breaks) at the PXE ROM, is there any other way to solve this problem? Thanks. --- David Li Cloudshield Technologies SAIC

3 9

Re: [Trusted-computing] A Question on EK
by Kenneth Goldman 09 Sep '11

09 Sep '11

> ----- Message from "Li, David" <LiD(a)cloudshield.com> on Thu, 8 Sep > 2011 17:15:40 -0700 ----- > > [Trusted-computing] A Question on EK > > We are supposed to trust the CA that issues the EK certificate. The > chain of trust from this point on allows creation of other keys for > signing and storage. But what if we are not sure if the CA for the > EK is 100% trustable given that the TPM vendor is not totally > trustable? Is there any way to trust all the latter key creations? > > The spec says users can create their own EK and use their own CA to > certify it. Can this approach solve the above problem? In my opinion, if you can't trust the TPM hardware (or software in a virtual TPM), the game is over. Some TPMs might allow external creation of an EK, but it's vendor specific. Others may allow you to run a command and have the TPM generate an EK. However, you don't gain any security by putting a very strong key into weak hardware. Similarly, it doesn't help to certify a weak key with a strong CA.

1 0

A Question on EK
by Li, David 08 Sep '11

08 Sep '11

Hi, We are supposed to trust the CA that issues the EK certificate. The chain of trust from this point on allows creation of other keys for signing and storage. But what if we are not sure if the CA for the EK is 100% trustable given that the TPM vendor is not totally trustable? Is there any way to trust all the latter key creations? The spec says users can create their own EK and use their own CA to certify it. Can this approach solve the above problem? Thanks. --- David Li Cloudshield Technologies SAIC

1 0

Question on Trusted Boot
by Li, David 29 Aug '11

29 Aug '11

Hi, I am new to TCG. My understanding is that in SRTM BIOS itself is assumed to be trustable. It's not measured on a PC client during the boot since it's the first one being loaded and executed. But it forms the basis of chain of trustable measurements. Is this correct? What if my BIOS can't be trusted? Can I still do remote attestation of the PC client booted this way? Thanks. --- David Li Cloudshield Technologies SAIC

3 6

Question on Trusted Boot
by Kenneth Goldman 24 Aug '11

24 Aug '11

You have to be precise about whether "BIOS" means the CRTM or the rest of the BIOS after the CRTM. As you say, the CRTM has to be trusted. It's the 'core root of trust'. You have to trust that the OEM implemented it correctly, and also that the OEM protected it against software attacks. If the rest of the BIOS can't be trusted, you can still do an attestation. The remote party checks the PCRs, and it decides whether the rest of the BIOS can be trusted. trusted-computing-bounces(a)lists.fedorahosted.org wrote on 08/23/2011 08:01:05 AM: > ----- Message from "Li, David" <LiD(a)cloudshield.com> on Mon, 22 Aug > > I am new to TCG. My understanding is that in SRTM BIOS itself is > assumed to be trustable. It’s not measured on a PC client during the > boot since it’s the first one being loaded and executed. But it > forms the basis of chain of trustable measurements. Is this correct? > > What if my BIOS can’t be trusted? Can I still do remote attestation > of the PC client booted this way?

2 1

EVM patches
by Mimi Zohar 04 Apr '11

04 Apr '11

The EVM/IMA-appraisal patches have gone through a number of iterations. The latest EVM patches were posted last Monday, separately from the IMA-appraisal patches to facilitate review, but have not received any additional Acks, particularly from the fs side, which are needed for the patches to be upstreamed. Anybody on this list able to help get the needed review and Acks? Additional info: Dave Safford's whitepaper overview of the proposed Linux integrity subsystem: http://downloads.sf.net/project/linux-ima/linux-ima/Integrity_overview.pdf. EVM: git://git.kernel.org/pub/scm/linux/kernel/git/zohar/ima-2.6.36.git/#next-evm IMA-appraisal (waiting for EVM to be upstreamed, before posting) git://git.kernel.org/pub/scm/linux/kernel/git/zohar/ima-2.6.36.git/#next-im… Digital signature extensions (Dmitry Kasatkin): http://meego.gitorious.org/meego-platform-security/ima-ksign Digital signature utilities (Dmitry Kasatkin): http://meego.gitorious.org/meego-platform-security/evm-utils. Other, including a sample dracut patch to enable EVM in the initramfs: http://linux-ima.sf.net Thanks, Mimi Zohar Dave Safford

1 0

Notes from March 2 IBM / Red Hat Trusted Computing Meeting
by George Wilson 22 Mar '11

22 Mar '11

Following are notes I jotted down following the March 2, 2011 meeting between IBM and Red Hat that may be of general interest to the list. Known Attendees: Rajiv Andrade Stefan Berger Ken Goldman Steve Grubb Anthony Liguori Frank Novak Eric Paris Dimitrios Pendarakis Jack Rieden Dave Safford Lee Terrell Dan Walsh George Wilson Lee Wilson Chris Wright Kent Yoder Mimi Zohar Meeting Summary: - IBM has been open sourcing various Trusted Computing components over the last several years that are fairly uninteresting in an of themselves. - However, we have been doing so to to build out the ecosystem. - We have long had TPM device drivers in the kernel, TrouSerS, tpm-tools, and the PKCS#11 TPM token. - The big missing piece has been trusted boot, and due to that deficiency, TrouSerS has remained in Tech Preview status for quite some time. - Red Hat had stated several years ago that they were uninterested in an SRTM given the more scalable DRTM approach. - However, a DRTM bootloader that works with TXT was thwarted by the Fedora requirement not to carry or reference the 3rd party BLOB that is the sinit AC module. - During talks last year that included the System x organization, we were able to get System x to agree to put the ACM into flash much as is done for the BIOS. - That allowed us to make a statement, and for tboot to be contributed to Fedora. - Eric stated that he's having trouble getting tboot to come up on the boards he has tried. - Given we can get past the tboot issues, there will finally be a complete Trusted Computing stack that supports trusted boot on Intel TXT capable machines. - The support can be exploited by IMA in the kernel, and tpm-tools and the PKCS#11 TPM token in userspace. - Now it is time to turn our attention towards other issues: IMA appraisal, EVM, PTS, an attestation management server, and a CA. - It is possible that a PTS implementation will be open sourced by IBM Research in the near future. - That could be integrated with the TNC package to created an attested TNC in the TCG sense using freeRADIUS and wpa_supplicant. - Those pieces would provide a complete bare metal or KVM host ecosystem for the first time. - The other place that requires attention is the virtual space. - IBM Research open sourced it's gold standard software TPM, and Ken has ported it to freebl, the lower lower of NSS. - Ken is still seeing an issue and will contact Bob Relyea to help resolve, likely in a conference call. - There will need to be a new version of NSS with cleanups Ken requires. - It appears to be working fairly well and largely surviving torture tests. - Stefan has turned it into libtpms and libtpms-devel packages, which have undergone review. - The software TPM library work is preparatory to submitting patches to the Qemu community so that community members can "yum install libtpms libtpms-devel" and proceed with building the patches. - The patches are a large chunk of code somewhat akin to SPICE in terms of size and complexity. - However, they ware working for Stefan. - It is expected to take some time for them to undergo review but the approach appears viable. - We still need a way to do measured launches of guests. - The hope is to use the same tboot GRUB module for guests as we use for the host by emulating TXT instructions in Qemu. - A measured launch would complete the guest ecosystem. - Another piece of the puzzle to consider is EVM. - IMA appraisal makes little sense without EVM. - Eric will take a look at Mimi's patches. Component Status Summary: Substantially Complete: - tpm_tis - TrouSerS - tpm-tools - PKCS #11 TPM token May Need Work: - tboot in the bare metal or host case Potentially Open Sourced Soon: - OpenPTS from IBM Research Work in Progress: - IBM's Software TPM port to freebl - Transformation of IBM's Software TPM into a vTPM library and devel package - Qemu integration of the vTPM Work Not Yet Planned: - Qemu emulation of TXT - Virtual sinit AC module - Any virtual BIOS work required to support TXT - Other features upon which TXT emulation may be dependent - Attestation management - vTPM enrollment Regards, George Wilson IBM Linux Technology Center Security Architect & Team Lead 512-286-9271

4 11

CRADA CREATION
by Tambascia, Alexander R Civ USAF AFMC ESC/XR 22 Mar '11

22 Mar '11

Greetings All: Joel Rodriquez is currently working on establishing the CRADA in order for us to use the CEIF here at Hanscom for the development Of the Secure Virtual Desktop. Currently we have the Army and Marines who are also interested in participating in the CRADA with RedHat and the Air Force. R/ Alexander R. Tambascia, Prof CS MSCS, MCSE, MCSA, CEH, SECURITY+,DCSE, JNCIS,IASO Cyber Engineer - AFMC/ESC/XR/XRX UNSECURE: 781-377-6544 (AF-NIPER)alexander.r.tambascia(a)hanscom.af.mil "Nothing in this world can be obtained without something of equal value being lost; this is the first law of ' Equivalent Exchange' the world's one and only truth" - Roger Bacon

1 0

Trust Anchors workshop
by Stephen Smalley 21 Mar '11

21 Mar '11

Thought some of the people on this list might be interested in an upcoming workshop on April 27th that will examine the use of the TPM among other technologies as a basis for establishing trust in computing platforms. The "Trust Anchors are Invulnerable" workshop is described at: http://cybersecurity.nitrd.gov/ People who are interested should apply by email with a CV and short position paper to assumptionbusters(a)nitrd.gov as explained in the Federal Register notice referenced at the above web site. The deadline has been extended to March 23rd. -- Stephen Smalley National Security Agency

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

Trusted-computing