Trusted Boot in Fedora

seth vidal skvidal at
Wed Jun 22 19:20:11 UTC 2011

On Wed, 2011-06-22 at 20:02 +0100, Matthew Garrett wrote:
> is a proposed 
> feature for F16. We've traditionally had a hard objection to the 
> functionality because it required either the distribution or downloading 
> of binary code that ran on the host CPU, but it seems that there'll 
> shortly be systems that incorporate the appropriate sinit blob in their 
> BIOS, which is a boundary we've traditionally been fine with.
> However, this is the kind of feature that has a pretty significant 
> impact on the distribution as a whole. Fesco decided that we should 
> probably have a broader discussion about the topic. The most obvious 
> issues are finding a sensible way to incorporate this into Anaconda, but 
> it's also then necessary to make sure that bootloader configuration is 
> updated appropriately.
> Outside that, is there any other impact? Does tboot perform any 
> verification of the kernels, and if so how is that configured? Is the 
> expectation that an install configured with TXT will only boot trusted 
> kernels, and if so what mechanism is used to verify the kernel? Is there 
> any further integration work that has to be performed for this to be 
> useful?

Are we going to continue the double grub entries? while I realize that
tboot SHOULD allow non TXT hw to boot properly I also realize that any
differences will be pointed to as a point of contention when debugging
semirelated problems. so it seems like the double entries are wise.

Additionally, is the grub modifyication implemented in grubby and does
this behave properly on a yum update of the kernel?


More information about the devel mailing list