Trusted Boot in Fedora
tcallawa at redhat.com
Wed Jun 29 14:10:12 UTC 2011
On 06/27/2011 11:27 AM, Miloslav Trmač wrote:
> It doesn't, really. My understanding is that it takes a hash of the
> contents of memory (and perhaps other state, I don't know) and submits
> this "measurement" to the TPM. The sinit blob doesn't contain any
> policy or configuration: it is only a mechanism for reducing the
> complete "system state" into a hash value.
One of my biggest concerns here is that we don't know what the
proprietary sinit blob is doing, nor do I think that it is likely that
Intel will show us.
It seems to me that the situation is this:
Intel has convinced some hardware vendors (IBM and Dell, possibly
others) to embed the sinit blob in their BIOSes on very new systems.
Intel wants Fedora to automatically check for:
A) The system's capability to leverage found TPM hardware
B) The presence of the sinit blob in the system BIOS
If A and B are true, then Fedora adds an additional grub configuration
for a "trusted-kernel" scenario. As uncomfortable as I am with us
enabling process around undocumented BIOS magic, there is some precedent
within the Linux kernel for that sort of thing.
It also sounded like Intel wanted hooks in there so if A is true, but B
is not, Fedora would prompt the user to download the sinit blob
(arguably, B will be false on the majority of Fedora systems for at
least the next few years). I am extremely opposed to this, for
presumably obvious reasons.
More information about the devel