From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with archive (Exim 4.43)
	id 1LbJ8b-0007lR-5J
	for mharc-grub-devel@gnu.org; Sun, 22 Feb 2009 13:33:13 -0500
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1LbJ8Z-0007kz-SV
	for grub-devel@gnu.org; Sun, 22 Feb 2009 13:33:11 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1LbJ8X-0007jy-19
	for grub-devel@gnu.org; Sun, 22 Feb 2009 13:33:10 -0500
Received: from [199.232.76.173] (port=42110 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1LbJ8W-0007jq-Pt
	for grub-devel@gnu.org; Sun, 22 Feb 2009 13:33:08 -0500
Received: from xsmtp0.ethz.ch ([82.130.70.14]:43970)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <janalsenz@student.ethz.ch>) id 1LbJ8W-0006xd-99
	for grub-devel@gnu.org; Sun, 22 Feb 2009 13:33:08 -0500
Received: from xfe1.d.ethz.ch ([82.130.124.41]) by XSMTP0.ethz.ch with
	Microsoft SMTPSVC(6.0.3790.3959); Sun, 22 Feb 2009 19:33:06 +0100
Received: from [192.168.2.71] ([81.221.97.38]) by xfe1.d.ethz.ch over TLS
	secured channel with Microsoft SMTPSVC(6.0.3790.3959); 
	Sun, 22 Feb 2009 19:33:06 +0100
Message-ID: <49A19A05.6030606@student.ethz.ch>
Date: Sun, 22 Feb 2009 19:31:33 +0100
From: Jan Alsenz <janalsenz@student.ethz.ch>
User-Agent: Thunderbird 2.0.0.19 (X11/20090104)
MIME-Version: 1.0
To: The development of GRUB 2 <grub-devel@gnu.org>
References: <49A152BD.6010907@student.ethz.ch> <49A1782B.3010000@nic.fi>
In-Reply-To: <49A1782B.3010000@nic.fi>
X-Enigmail-Version: 0.95.7
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="------------enig0D6B3058552E9ACBE82088DE"
X-OriginalArrivalTime: 22 Feb 2009 18:33:07.0025 (UTC)
	FILETIME=[014D8410:01C9951C]
X-detected-operating-system: by monty-python.gnu.org: Windows 2000 SP4, XP SP1+
Subject: Re: GRUB trusted boot framework
X-BeenThere: grub-devel@gnu.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: The development of GRUB 2 <grub-devel@gnu.org>
List-Id: The development of GRUB 2 <grub-devel.gnu.org>
List-Unsubscribe: <http://lists.gnu.org/mailman/listinfo/grub-devel>,
	<mailto:grub-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/grub-devel>
List-Post: <mailto:grub-devel@gnu.org>
List-Help: <mailto:grub-devel-request@gnu.org?subject=help>
List-Subscribe: <http://lists.gnu.org/mailman/listinfo/grub-devel>,
	<mailto:grub-devel-request@gnu.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Feb 2009 18:33:12 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig0D6B3058552E9ACBE82088DE
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Vesa J=E4=E4skel=E4inen write:
> Hi All,
>=20
> Ok. Please keep the fighting of TPM out of this thread ;). Lets keep it=

> to the topic first... (I am already waiting for summary of that other
> discussion at some point ;))
>=20
> Jan Alsenz wrote:
>> Next I think we can agree, that some sort of trusted boot chain can be=
 useful.
>>
>> Also there should be more than one implementation for this (or at leas=
t the
>> possibility to have them).
>=20
> I like the idea of modularity in here. However. It should work with
> different schemes but same generic interfaces if that is what is planne=
d.

That was what I had in mind.

>> If we could agree on this, then I think we could find a way to extend =
the GRUB
>> module system to fully allow this.
>>
>> From my point of view the minimal needed features for these systems ar=
e:
>> - easy exchange of the MBR binary to be installed
>> - easy exchange of the core.img loader binary
>> - hooks for any disk read (not sure if write is necessary)
>=20
> Note: I will skip MBR+core.img validation for a reason here now.
>=20
> I do like the idea what some protected systems use, they sign the binar=
y
> (in our case .mod file and kernels of loaded OSes). Now in that scenari=
o
> it is responsibility of the kernel module loader to first verify the
> signature for correctness. This way the signature checking would be
> somewhat transparent to the rest of the system.
>=20
> I do not see a need to add any hooks to disk read. It should be
> responsibility of the code needing signature checking to handle that.

Well, since to trusted operation should be transparent (and in my opinion=
 should
not need code changes in something like the loaders - so if someone write=
s a new
loader, it should work by default), that's where the hooks come in.
Maybe the "disk read" was misleading, what I meant where "file reads".

Greets,

Jan


--------------enig0D6B3058552E9ACBE82088DE
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkmhmgsACgkQfZylhtn4Xvcq9wCeJuULPou/mbHwPvXlQMwNLsbZ
5NcAoM4X2t4qlFPRKS456oL14xiymcuK
=F2k8
-----END PGP SIGNATURE-----

--------------enig0D6B3058552E9ACBE82088DE--