Date: Sun, 15 Jan 2017 08:16:43 +0100 From: =?UTF-8?B?SmFuIER1xaHDoXRrbw==?= <jan@dusatko.org> To: "Simon J. Gerraty" <sjg@juniper.net>, Johannes Lundberg <johalun0@gmail.com> Cc: freebsd-current@freebsd.org, Ed Maste <emaste@freebsd.org> Subject: Re: Secure Boot Message-ID: <b866400c-da73-49ea-c161-13f0d8a12f7f@dusatko.org> In-Reply-To: <26163.1484447917@kaos.jnpr.net> References: <CAECmPwubVy6z2qDjGAumRL2Pqe3QRa49PW_ppFdemN=fBqAfHw@mail.gmail.com> <26163.1484447917@kaos.jnpr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --2DFOxEkUO3GVFDbL0n2LfnFeO9Ce71Krp Content-Type: multipart/mixed; boundary="Fao6BI1DvkgMQp8A4RLbRMKF3IbX0VN7U"; protected-headers="v1" From: =?UTF-8?B?SmFuIER1xaHDoXRrbw==?= <jan@dusatko.org> Reply-To: jan@dusatko.org To: "Simon J. Gerraty" <sjg@juniper.net>, Johannes Lundberg <johalun0@gmail.com> Cc: freebsd-current@freebsd.org, Ed Maste <emaste@freebsd.org> Message-ID: <b866400c-da73-49ea-c161-13f0d8a12f7f@dusatko.org> Subject: Re: Secure Boot References: <CAECmPwubVy6z2qDjGAumRL2Pqe3QRa49PW_ppFdemN=fBqAfHw@mail.gmail.com> <26163.1484447917@kaos.jnpr.net> In-Reply-To: <26163.1484447917@kaos.jnpr.net> --Fao6BI1DvkgMQp8A4RLbRMKF3IbX0VN7U Content-Type: multipart/mixed; boundary="------------F52FD082F8D59E6147B83647" This is a multi-part message in MIME format. --------------F52FD082F8D59E6147B83647 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Dne 15.1.2017 v 3:38 Simon J. Gerraty napsal(a): > Johannes Lundberg <johalun0@gmail.com> wrote: >> https://wiki.freebsd.org/SecureBoot >> > Interested in this too - though for proprietary systems where we have > control over BIOS. The design should hopefully accommodate both. > > In particular any plan for how the loader would verify kernel and any > pre-loaded modules, and kernel verify init. > Hopefully allowing for regular update of sining keys. > To work correctly, there are requirements to use TPM 1.2, hard disk drive support Opal 2.1 standard and the Intel TXT. Shim is only part of secure boot, because can be easily defeated without the rest. https://www.kernel.org/doc/Documentation/intel_txt.txt https://software.intel.com/en-us/blogs/2012/09/25/how-to-enable-an-intel-= trusted-execution-technology-capable-server http://www.intel.com/content/dam/www/public/us/en/documents/guides/intel-= txt-software-development-guide.pdf http://www.intel.com/content/dam/www/public/us/en/documents/white-papers/= trusted-execution-technology-security-paper.pdf http://www.intel.com/technology/security/downloads/TrustedExec_Overview.p= df http://www.intel.com/technology/security/downloads/arch-overview.pdf --------------F52FD082F8D59E6147B83647-- --Fao6BI1DvkgMQp8A4RLbRMKF3IbX0VN7U-- --2DFOxEkUO3GVFDbL0n2LfnFeO9Ce71Krp Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCAAGBQJYeyHeAAoJEJNLvk7lNbWFVnEMALlstrjoU0bRC/x3phCToaP4 kZyDxQRXNzm/mLNsg7e4CFm5/44HCtluLpmPf+OsJ292o17sP2lfG5LXBg111tn1 WPQp0PP34S3EH0Qn+uEXNqKHoyx4noRR7j6dkofTTcVYSlLDjzaVtYImaeNavDEy d0FIuqrIyo8NIVOQ8Bwjtuvzi/6krWyAl6OGsyrLFYO6GaSKW7SCbChPgKSZTi07 9K4NwWQBEQU+st/6lBo6Q9PGG4sin4RDTtlyyvEl/v8W1tWrLSguLMoJJEAtfLhv wqCqkrJvKhB1eyyAIy+l4Sge7gYq9tok6wil2Be3Jd9gJ3hDq2GOJWahNPrC04ui KacaXewSSMOXE0JgUezWEt2FywFPghfmVKOimSL4g6Vzw0KoKCtaxNCljZJ9ffxv Vbkh7JzmlrsgT28NjR4T7GopmXT4alwelrWS/I6PSVl/SrPtURDTnXWuIhqDegLK uQFLJwTQEN1fbkbymH1w+PzGqqBPKS9OI/GT3tL4yw== =BqCm -----END PGP SIGNATURE----- --2DFOxEkUO3GVFDbL0n2LfnFeO9Ce71Krp--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b866400c-da73-49ea-c161-13f0d8a12f7f>