-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi Chris,
> On 06/22/2016 02:10 PM, Rusty Bird wrote: >> Hi Marcin, >> >>> How would Anti Evil Maid detect BIOS/hardware modifications >>> without sealing to PCR 0-3? By default it seals only to PCR >>> 13,17,18,19. >> PCRs 17-19 come from tboot, which uses Intel TXT to protect BIOS >> etc. > Based on what I've seen from BIOS updates not triggering AEM, I > think this is a valid concern. It should at least be explained. I'm out of my depth here -- maybe Joanna can provide an authoritative response? -- but AFAIK a more correct phrasing would have been that TXT is supposed to protect *from* the BIOS, i.e. to sanitize the early boot state so as to remove the BIOS from the TCB. Which ITL have shown it fails to really do; a malicous BIOS can circumvent AEM no matter if the old approach (TrustedGRUB) or the new approach (TXT) is used. But this might explain why a legit BIOS update does not necessarily change the PCR measurements? Rusty -----BEGIN PGP SIGNATURE----- iQJ8BAEBCgBmBQJXavgOXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0 NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfadYQAJBDbhGfNGDmFavI/wfZHRVQ DFgwm7Rf62qN4j71XgiM2VVuPCz80QHmTJlYmGnd+xoY2hfksvkB5jiE4og+qwt9 /owOqdqP7vSXS/+JvcU06a520YEBDSGeN3zXdQfNCTF31w0y8QORH2UuglNltSS6 /Jzq/IIjHMY/qeApihCDBA3yKsRfcf6SrJRkfnxYCyXXBUA/GWtyzImHlpOR/Bxr T+N5g/dzTMcCfymcrepbX61Q447zayYCNKZbKOaW/AOWA4abUwa7ZqNa8iqjcwkH znzKcrZc/Nj7t1O7ObSUGjQ+dJMHQqAoEiI00d68t5+ACMjF3RTyAa00tgF2hj0/ HgevSG3VHu3W6XpzCm+aglnuv7nst3CA+QpQ8llhNOYwZyJUPwcJTYzNydXFQBi+ q5a/LouFsFxu3e0MHSD0SgQxDf3K0kvQyiTdPA2EiB65PyMMSEerjY3m6uy0u3eW WlR5WLbEV/ity2CpokLkqeOMIU7YTqb256l3gO64AqYowVOTjgWuJ0jUNwyHabKv ynfzvPI3bZRzLRLkE4v4fOqAXuX3sWkBJjOz9hhJJ07MvyPV0grOfuqAIaALpBBq SMR2y1znxgLpPlt1Z0nFC++Qc8oCP6AGykwcvnCMiKsgZNvOvIY4Qw/fJjjFgbry K9x7SLG+XhrTIB/ooHvs =iVmy -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/fc591e12-5a5c-95af-c130-8203e96412e0%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
