Dne 15.1.2017 v 3:38 Simon J. Gerraty napsal(a): > Johannes Lundberg <johal...@gmail.com> wrote: >> https://wiki.freebsd.org/SecureBoot >> > Interested in this too - though for proprietary systems where we have > control over BIOS. The design should hopefully accommodate both. > > In particular any plan for how the loader would verify kernel and any > pre-loaded modules, and kernel verify init. > Hopefully allowing for regular update of sining keys. > To work correctly, there are requirements to use TPM 1.2, hard disk drive support Opal 2.1 standard and the Intel TXT. Shim is only part of secure boot, because can be easily defeated without the rest.
https://www.kernel.org/doc/Documentation/intel_txt.txt https://software.intel.com/en-us/blogs/2012/09/25/how-to-enable-an-intel-trusted-execution-technology-capable-server http://www.intel.com/content/dam/www/public/us/en/documents/guides/intel-txt-software-development-guide.pdf http://www.intel.com/content/dam/www/public/us/en/documents/white-papers/trusted-execution-technology-security-paper.pdf http://www.intel.com/technology/security/downloads/TrustedExec_Overview.pdf http://www.intel.com/technology/security/downloads/arch-overview.pdf
Description: OpenPGP digital signature