Measurements during boot

Measurements during boot

[Nicholas Psomas]

[-- Attachment #1: Type: text/plain, Size: 1779 bytes --]

Hi,

I'm currently looking to add support to grub2 to provide code/data
measurement to the TPM on supported PC's (if you want more information on
this topic, google search "root of trust for reporting", otherwise I'm
happy to explain in a further post or email).  I've begun writing some
interfaces to the hardware (TPM), but was wondering what the best way of
structuring this entire operation might be.  To make my current goal clear,
I'm only beginning with the multiboot module as a starting point (but it
would be preferable if it was generic enough to be widely useable in any
loader modules), and I'm currently aiming for the boot loader to be used in
a PXE environment, so am not concerned in measuring separate stages (my
understanding for PXE at the moment is that everything is compiled together
into a single image which is downloaded and measured from a server by a PXE
boot rom, I don't intend to download separate grub modules afterwards).

No matter how I look at it, I feel that the only possible solution will be
one which edits the loader code to insert a call which measures the kernel
and module (initrd, not grub modules) code, just before boot.  Is it
worthwhile however hooking it in such a way that a user could create a line
such as:

measure multiboot /path/to/kernel kernel-cmd-line-args
measure module /path/to/module

or:

measure
multiboot /path/to/kernel kernel-cmd-line-args
module /path/to/module

as opposed to the usual configuration which is just:

multiboot /path/to/kernel kernel-cmd-line-args
module /path/to/module

in their grub.cfg.  Otherwise I could just hard code the measurement
process into the multiboot loader process, possibly making it optional at
compile time with a #define?

Thanks in advance for your time and input.

Nick

[-- Attachment #2: Type: text/html, Size: 2108 bytes --]

Measurements during boot

[Nicholas Psomas]

[-- Attachment #1: Type: text/plain, Size: 1779 bytes --]

Hi,

I'm currently looking to add support to grub2 to provide code/data
measurement to the TPM on supported PC's (if you want more information on
this topic, google search "root of trust for reporting", otherwise I'm
happy to explain in a further post or email).  I've begun writing some
interfaces to the hardware (TPM), but was wondering what the best way of
structuring this entire operation might be.  To make my current goal clear,
I'm only beginning with the multiboot module as a starting point (but it
would be preferable if it was generic enough to be widely useable in any
loader modules), and I'm currently aiming for the boot loader to be used in
a PXE environment, so am not concerned in measuring separate stages (my
understanding for PXE at the moment is that everything is compiled together
into a single image which is downloaded and measured from a server by a PXE
boot rom, I don't intend to download separate grub modules afterwards).

No matter how I look at it, I feel that the only possible solution will be
one which edits the loader code to insert a call which measures the kernel
and module (initrd, not grub modules) code, just before boot.  Is it
worthwhile however hooking it in such a way that a user could create a line
such as:

measure multiboot /path/to/kernel kernel-cmd-line-args
measure module /path/to/module

or:

measure
multiboot /path/to/kernel kernel-cmd-line-args
module /path/to/module

as opposed to the usual configuration which is just:

multiboot /path/to/kernel kernel-cmd-line-args
module /path/to/module

in their grub.cfg.  Otherwise I could just hard code the measurement
process into the multiboot loader process, possibly making it optional at
compile time with a #define?

Thanks in advance for your time and input.

Nick

[-- Attachment #2: Type: text/html, Size: 4789 bytes --]

Re: Measurements during boot

[Vladimir 'φ-coder/phcoder' Serbinenko]

[-- Attachment #1: Type: text/plain, Size: 295 bytes --]

> I've begun writing

> some interfaces to the hardware (TPM),

TPM is an instrument of denying freedom. For more details read
http://www.gnu.org/philosophy/can-you-trust.html. As we're GNU projext
this policy is out of discussion.
-- 
Regards
Vladimir 'φ-coder/phcoder' Serbinenko


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 294 bytes --]

Re: Measurements during boot

[Nicholas Psomas]

[-- Attachment #1: Type: text/plain, Size: 794 bytes --]

I really didn't want to debate the purposes and ethics of the hardware
(it's bound to devolve to bickering), just some advice on how I could
better understand the grub source so I could use and develop with it.


On Sat, Jul 7, 2012 at 7:05 PM, Vladimir 'φ-coder/phcoder' Serbinenko <
phcoder@gmail.com> wrote:

> > I've begun writing
>
> > some interfaces to the hardware (TPM),
>
> TPM is an instrument of denying freedom. For more details read
> http://www.gnu.org/philosophy/can-you-trust.html. As we're GNU projext
> this policy is out of discussion.
> --
> Regards
> Vladimir 'φ-coder/phcoder' Serbinenko
>
>
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel
>
>

[-- Attachment #2: Type: text/html, Size: 1402 bytes --]