Trusted Boot in Fedora

Michael Ekstrand michael at
Fri Jun 24 14:16:05 UTC 2011

On 06/24/2011 03:24 AM, Gregory Maxwell wrote:
> On Fri, Jun 24, 2011 at 4:07 AM, Rahul Sundaram <metherid at> wrote:
>> If you have *specific* concerns,  let's hear those.  You seem to just
>> quoting parts of a public wiki page anyone can read.  I don't see the
>> point of that
> If trusted boot in fedora is widely deployed, then $random_things may
> demand I use a particular fedora kernel in order to access them.  Both
> handcapping my personal freedom to tinker with my own computer by
> imposing new costs on it, and hampering the Fedora project by creating
> additional friction against upgrades.
> ("Sorry, I can't upgrade to the new kernel to test that, because then
> I won't be able to watch netflicks!")

Would it be possible or practical to ship tboot in Fedora with the
user-serving protections enabled - verifying the kernel/initrd for
secure disk encryption, for instance - but disabling remote attestation
and similar features in the default configuration?

If there's a way that I can harness the TPM to ensure the integrity of
my boot path - and it is sufficiently transparent that I am confident of
what it is doing, and can build and sign my own kernels if desired - I
would be interested in that.  However, I appreciate (and largely agree
with) Gregory's concerns about being an enabler for a broader restricted
computing ecosystem.

- Michael

More information about the devel mailing list