Trusted Boot in Fedora

Camilo Mesias camilo at mesias.co.uk
Sat Jun 25 08:13:16 UTC 2011 

Hi,

On Fri, Jun 24, 2011 at 5:09 PM, Simo Sorce <simo at redhat.com> wrote:
> On Fri, 2011-06-24 at 22:21 +0200, nodata wrote:
>> 2. This seems like Trusted Computing, which got shot down in flames.
>
> Who shot it and why ?

I don't know about Trusted Computing but this does remind me of the
Pentium III processor serial number that wasn't well received - even
though in theory it had what many people would consider a reasonable
purpose. In other words, tracking down CPUs that were sometimes stolen
by the truckload.

>> Does TrustedBoot go against the core values of Fedora?
>
> Only if it is not under user control, otherwise it is a very useful
> feature.

In a sense, part of it isn't under user control. There is a secret in
there, held against the user, and possibly known by the manufacturer
or other third parties. There is also a black box of code that could
do anything. I'm not really that paranoid but it is worth considering
the worst case, just as a theoretical possibility. What if the device
became standard by virtue of being bundled with every consumer
device... what if it became crucial to system operation somehow...
what if that device could then be disabled remotely, either rendered
useless by the secret being disclosed, or some unknown functionality
could be triggered in that signed but opaque blob of code.

Already there are systems that have whitelisted hardware (eg. wireless
cards in netbooks) and the BIOS polices the presence of the right
device. If you make unauthorised modifications to the BIOS, you can
install any compatible wireless card (or WWAN device). BUT if the BIOS
was signed and loaded by a trusted method, this option would not be
available.

Apart from that there is the aspect of identification - this is as
good a way of identifying a system as the processor serial number was.

I think it is worth including in open source systems, but only so the
devices and methods can be better understood, and probably turned off
/ disabled at the earliest opportunity if there isn't a compelling
benefit to having them.

-Cam

More information about the devel mailing list