Trusted Boot in Fedora

Eric Paris eparis at redhat.com
Thu Jun 23 02:05:47 UTC 2011 

On 06/22/2011 03:20 PM, seth vidal wrote:
> On Wed, 2011-06-22 at 20:02 +0100, Matthew Garrett wrote:

> Are we going to continue the double grub entries? while I realize that
> tboot SHOULD allow non TXT hw to boot properly I also realize that any
> differences will be pointed to as a point of contention when debugging
> semirelated problems. so it seems like the double entries are wise.
> 
> Additionally, is the grub modifyication implemented in grubby and does
> this behave properly on a yum update of the kernel?

I'd say how to handle the grub entries is basically the entire point of
the feature request.  I was surprised to learn the other day that they
filed a request at all since this was really just about making a change
to grubby.  I don't know how they plan to handle it.

Systems which don't support TXT are easy.  They will work fine.  The CPU
won't say it supports TXT and tboot will just move along.

The real problem is systems which claim to support TXT, but then don't.
 tboot is actually really smart and will record that it tried a TXT
enabled boot and if it fails will not use the TXT instructions the next
time (this happens on things like the Lenovo x201).  On other platforms,
like the Lenovo x210 TXT does something when setting the iommu's in a
safe state which causes the video card to go haywire when it tries to
get set up.  Now tboot can't tell this, since TXT completed and the
kernel did actually launch successfully, but I'd imagine half ass broken
hardware won't be common for too long.  Intel had a kernel patch they
thought would fix the problem, but I lost access to the system in
question before I could test it (and I don't know if it was sent upstream)

Systems which ACTUALLY support TXT are easy.  They just work and you
don't even know your kernel was measured and and the iommus programmed
to be safe before it launched.

So yeah, installing tboot if it automatically enables itself can be a
problem on some broken hardware.  I would certainly recommend against
making tboot a part of the default install.  But if a user installs it,
it should 'just work', without manually updating grub on ever kernel update.

-Eric

More information about the devel mailing list