Hi Ken,
I meant CRTM portion of the BIOS. In my case, the BIOS is a UEFI BOIS. So that probably
means SEC+PEI.
---
David Li
From: trusted-computing-bounces(a)lists.fedorahosted.org
[mailto:trusted-computing-bounces@lists.fedorahosted.org] On Behalf Of Kenneth Goldman
Sent: Wednesday, August 24, 2011 5:43 AM
To: trusted-computing(a)lists.fedorahosted.org
Subject: [Trusted-computing] Question on Trusted Boot
You have to be precise about whether "BIOS" means the CRTM or the rest
of the BIOS after the CRTM.
As you say, the CRTM has to be trusted. It's the 'core root of trust'.
You have to trust that the OEM implemented it correctly, and also that
the OEM protected it against software attacks.
If the rest of the BIOS can't be trusted, you can still do an attestation.
The remote party checks the PCRs, and it decides whether the rest of the
BIOS can be trusted.
trusted-computing-bounces@lists.fedorahosted.org<mailto:trusted-computing-bounces@lists.fedorahosted.org>
wrote on 08/23/2011 08:01:05 AM:
----- Message from "Li, David"
<LiD@cloudshield.com<mailto:LiD@cloudshield.com>> on Mon, 22 Aug
I am new to TCG. My understanding is that in SRTM BIOS itself is
assumed to be trustable. It’s not measured on a PC client during the
boot since it’s the first one being loaded and executed. But it
forms the basis of chain of trustable measurements. Is this correct?
What if my BIOS can’t be trusted? Can I still do remote attestation
of the PC client booted this way?