Trusted Boot in Fedora

Jon Ciesla limb at jcomserv.net
Thu Jun 23 17:30:58 UTC 2011


> Miloslav Trmač <mitr <at> volny.cz> writes:
>
>>
>> On Thu, Jun 23, 2011 at 4:21 PM, JB <jb.1234abcd <at> gmail.com> wrote:
>> ...
>> > Will the TPM allow a third party remote access to the machine ?
>> Absolutely not.
>
> You are wrong here.
>
> http://en.wikipedia.org/wiki/Trusted_Platform_Module
> "...
> Overview
> ... It also includes capabilities such as remote attestation ..."
>
> Also:
> http://lists.fedoraproject.org/pipermail/users/2011-June/400545.html

So how do we ensure that software is not leveraging this by default and is
user-auditable?

>> ...
>> > By the virtue of beeing associated with the "root of trust" ?
>> "Root of trust" in TPM lingo is something different - it's "we know
>> that the kernel and related software we run has not been tampered
>> with".  The root of trust is established by the tboot blob, which
>> should verify the state of all relevant hardware.
>
> There is more to that.
> With regard to "root of trust" origin, meaning, applications:
>
> 1. OS privilege isolation
>
> http://communities.intel.com/community/openportit/vproexpert/blog/2011/01/25/trusted-execution-technology-aka-txt-what-is-it?wapkw=%28trusted+boot%29
>    "...
>    Who remembers the ring hierarchy introduced on the 286 that allowed
>    creating an operating system with privilege isolation?
>    ...
>    Trusted Execution Technology (TXT) comes as a reinforcement to deal
> with
>    threats that act on the same level of the kernel operating system or
> even
>    more privileged levels -- like hypervisor’s malware, where the
> malicious
>    code can take advantage of the CPU virtualization instructions to
> emulate
>    hardware instructions and completely control the operating system.
>    ..."
>
> 2. platform integrity (hardware plus software)
>    http://en.wikipedia.org/wiki/Trusted_Platform_Module
>    "...
>    Platform Integrity
>    ... In this context "integrity" means "behave as intended" and
>    a "platform" is generically any computer platform - not limited to PCs
> or
>    just Windows ...
>    ...
>    Together with the BIOS, the TPM forms a Root of Trust: ...
>    ..."
>
> 3. DRM; Software Licensing.
>    http://en.wikipedia.org/wiki/Trusted_Platform_Module
>    "...
>    Other uses and concerns
>    Almost any encryption-enabled application can in theory make use of a
> TPM,
>    including:
>     Digital rights management
>     Software license protection & enforcement
>    ..."
>
>> ...
>
> JB
>
>
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
>


-- 
in your fear, seek only peace
in your fear, seek only love

-d. bowie



More information about the devel mailing list