User: Password:
|
|
Subscribe / Log in / New account

Re: Trusted Boot in Fedora

From:  Miloslav Trma√® <mitr-AT-volny.cz>
To:  Development discussions related to Fedora <devel-AT-lists.fedoraproject.org>
Subject:  Re: Trusted Boot in Fedora
Date:  Fri, 24 Jun 2011 21:49:50 +0200
Message-ID:  <BANLkTintO8oagExXGt3Jr1ZAB9dYKjA+SA@mail.gmail.com>
Archive-link:  Article

On Fri, Jun 24, 2011 at 12:49 PM, Andrew Haley <aph@redhat.com> wrote:
> What I don't understand is why this feature requires a binary blob.
> Surely whatever northbridge code is required can be free software,
> Is this just security through obscurity?

The purpose of the blob is to "measure" the system state; only the
blob (and hardware reset) is allowed to restart the "measuring"
process in the TPM.  For this to work securely, the blob must be
signed by someone that the TPM itself trusts - otherwise an attacker
could replace the blob by something that lies about the system state.

So, from a standpoint of hacking, it doesn't matter - users won't have
the practical freedom to modify the blob anyway because they can't
sign it.

>From a standpoint of learning/sharing/review - I agree having the
source code would be very useful.
   Mirek
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel



(Log in to post comments)


Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds