Trusted Boot in Fedora

JB jb.1234abcd at
Sun Jun 26 01:21:25 UTC 2011

Chris Adams <cmadams <at>> writes:

> ... 
> I think there is some misunderstanding about what the discussion is
> supposed to be about.  The supporting open source code is already in
> Fedora.  The feature request is simply to modify grubby/anaconda to set
> up the boot entries to include the support by default (or when the
> hardware is found).


I think Fedora should be careful here - it is a minefield.
It is treacherous, as already expressed by other and competent people. Respect
them, there was a reason they said that.
I personally think that free and open-source product should stay away from
TPM entirely.

One one hand - it is about trusted boot:

This can already be achieved partially now, with open-source tools (GPG, etc),
and can be enhanced with e.g. a combination of hardware/software solution that
would be *non-hardwired*, *portable*, *open-source* and *"free"*, and up to
machine owner and user to utilize.
Signed where appropriate with *your* GPG key.
Think of what the trend and the state-of-art-and-mind are in regard to this;
Iwao's post is very helpful here.
This could be achieved now or soon without deep fundamental considerations,
by the open-source community itself.

On the other hand - it is about OS isolation (OS rings):

Ring (computer security)

This is a separate issue, in my mind.
In this sense, TPM is about "ring -1", and in the future "ring -2", etc :-)
This is about virtualization, and more.
It goes much deeper into OS design and architecture, hardware and software.
It should be addressed fundamentally by competent people, companies and
Leave it to them, but watch and participate.

Btw, TPM, or TXT exactly, can be hacked too (that has been done already).


More information about the devel mailing list