On Mon, Jul 25, 2016 at 11:11:07AM +0200, Joanna Rutkowska wrote: > One question out of curiosity: how did you verify the > authenticity/integrity of your coreboot clone? I just > cloned the repo also, but I see 1) no signed tags, nor 2) > signed commits?
That's a good question. I've also built the CoreBoot 4.4 release and verified their signature on the tar file, but that doesn't mean the tree is unmodified. In better news, I have figured out why Xen won't start from kexec on a Linux CoreBoot payload. Sometime between 3.1.0 and 3.1.3 they added numerous dependencies on the BIOS and EBDA structures for initializing the VGA console as well as figuring out where to stash pre-boot data. I forward ported the 3.1.0 xen/drivers/video/vga.c to 4.6.3 and modified xen/arch/x86/boot/trampoline.S to not make any real mode calls, and modified xen/arch/x86/boot/head.S to use the Multiboot lower memory pointer for the trampoline segment. Now my x230 boots Coreboot, which starts the Linux payload, which will be able to bring up the TPM and establish the root of trust from inside the ROM, authenticate to the user via tpmtotp, unseal the disk encryption keys, measure the Xen payload and configuration before calling kexec() on it, etc. -- Trammell -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20160726182647.GK16348%40chishio.swcp.com. For more options, visit https://groups.google.com/d/optout.
