Am Donnerstag, den 05.10.2006, 16:25 -0500 schrieb Travis H.: > On 10/2/06, Erik Tews <[EMAIL PROTECTED]> wrote: > > Am Sonntag, den 01.10.2006, 23:42 -0500 schrieb Travis H.: > > > Anyone have any information on how to develop TPM software? > > http://tpm4java.datenzone.de/ > > Using this lib, you need less than 10 lines of java-code for doing some > > simple tpm operations. > > Interesting, but not what I meant. I want to program the chip to verify > that the BIOS, boot sector, root partition conform to *my* specification. > > I don't want binary-only hardware-enforced vendor lock-in, that went > out of fashion > with the mainframe and proprietary data[base] formats.
You can do that (at least in theory). First, you need a system with tpm. I assume you are running linux. Then you boot your linux-kernel and an initrd using the trusted grub bootloader. Your bios will report the checksum of trusted grub to the tpm before giving control to your grub bootloader. Your grub bootloader will then report the checksum of your kernel and your initrd to the tpm before giving control to them. After your kernel has bootet and given control to your initrd, you can checksum your root-partition (or do something similar, like just checking if there are setuid binarys or checksum just your shadow-file) and report that to the tpm using a little java-application and tpm4java. Later, you can remotely query your system and get a report what has been bootet on your system. You can do this query using a java application and tpm4java. All applications like linux, grub, tpm4java are open source (you will need a java-vm, there are some open source vms, you should be able to use with tpm4java). The only thing which is not open source is the bios and the exact hardware design of your tpm chip in your pc. One thing you should know is, that a tpm can never find out, if a software meets some specifications, like does not have an buffer overflow or does not execute code from the network or so. You just can check is has not been altered.
Description: Dies ist ein digital signierter Nachrichtenteil