enable CONFIG_INTEL_TXT
Eric Paris
eparis at redhat.com
Thu Apr 1 01:45:35 UTC 2010
On Thu, 2010-04-01 at 09:15 +1100, James Morris wrote:
> On Wed, 31 Mar 2010, Eric Paris wrote:
>
> > On Thu, 2010-04-01 at 08:51 +1100, James Morris wrote:
> > > On Wed, 31 Mar 2010, Eric Paris wrote:
> > >
> > > > This config option allows a user to download new (open source) software
> > > > (tboot) along with other third party software to verify the correctness
> > > > of the BOOTED system.
> > >
> > > My feeling is that this needs to be dealt with upstream, and that the open
> > > source tboot needs to be delivered first.
> >
> > Done and done. We are turning on an upstream config option.....
>
> Interesting -- looks like this went in without any signoffs from security
> folk. The last I recall upstream was objecting to the binary blob aspect.
>
> > > I'd love to see support for TXT -- I think we can do some very important
> > > things with it, but I don't think it's workable as open source if it
> > > depends on closed proprietary code.
> >
> > What is this code you speak of?
>
> You mention
>
> "They agreed to make any changes necessary to their BIOS (UEFI) to support
> this technology without the need for the separate closed source
> proprietary Intel signed blob"
>
> Does TXT still depend on this proprietary blob?
If you choose to purchase certain hardware, such as the IBM system X
referenced in the discussion there is no need for any proprietary blobs
as the system takes care of supplying everything that is needed for it
to function. Some older laptops and desktop chipsets might be able to
be made to work with a closed source binary blob signed by Intel. So
no, TXT does not still depend on a separate proprietary blob you need to
go and download. But the use of such a blob is not precluded if you as
a user make that choice to enable functionality of your existing system.
-Eric
More information about the kernel
mailing list