On Sun, Feb 22, 2009 at 03:14:07AM +0200, Alex Besogonov wrote: > Jan Alsenz wrote: >>>> Yeah, but an attacker could patch that out too. >>> Not if we first measure the MBR. It can be done without any >>> TPM-specific code in the MBR if I'm not very mistaken. >> Could you elaborate on that? >> E.g. where do you measure the MBR from? > MBR is automatically measured by the TPM module, it requires no > intervention from GRUB.
Well, that is true, but for GRUB to measure all of its own stages it gets quite complicated. Overall, from a technical POV it looks like a lousy approach. It makes a lot more sense to simply have the firmware load GRUB as an executable image and measure that IMO. You can do that easily when you're in a legacy-free environment. -- Robert Millan The DRM opt-in fallacy: "Your data belongs to us. We will decide when (and how) you may access your data; but nobody's threatening your freedom: we still allow you to remove your data and not access it at all." _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org http://lists.gnu.org/mailman/listinfo/grub-devel