Trusted Boot in Fedora
jb.1234abcd at gmail.com
Thu Jun 23 17:30:39 UTC 2011
Miloslav Trmač <mitr <at> volny.cz> writes:
> On Thu, Jun 23, 2011 at 4:21 PM, JB <jb.1234abcd <at> gmail.com> wrote:
> > Will the TPM allow a third party remote access to the machine ?
> Absolutely not.
You are wrong here.
... It also includes capabilities such as remote attestation ..."
> > By the virtue of beeing associated with the "root of trust" ?
> "Root of trust" in TPM lingo is something different - it's "we know
> that the kernel and related software we run has not been tampered
> with". The root of trust is established by the tboot blob, which
> should verify the state of all relevant hardware.
There is more to that.
With regard to "root of trust" origin, meaning, applications:
1. OS privilege isolation
Who remembers the ring hierarchy introduced on the 286 that allowed
creating an operating system with privilege isolation?
Trusted Execution Technology (TXT) comes as a reinforcement to deal with
threats that act on the same level of the kernel operating system or even
more privileged levels -- like hypervisor’s malware, where the malicious
code can take advantage of the CPU virtualization instructions to emulate
hardware instructions and completely control the operating system.
2. platform integrity (hardware plus software)
... In this context "integrity" means "behave as intended" and
a "platform" is generically any computer platform - not limited to PCs or
just Windows ...
Together with the BIOS, the TPM forms a Root of Trust: ...
3. DRM; Software Licensing.
Other uses and concerns
Almost any encryption-enabled application can in theory make use of a TPM,
Digital rights management
Software license protection & enforcement
More information about the devel