Re: TPM chip and Grub bootloader
* Robert Millan <[EMAIL PROTECTED]> [070530 15:18]: > IOW, no matter who the keys belong to, the problem is there's a component in > the hardware I paid for that is hostile to me, which contains keys that I > cannot retrieve (good, because of security), and refuses to use the keys on > anything I want it to (bad, because it's inherently an abusive tool). You do not need a TPM based system. Todays BIOSes prohibit flashing anything not signed by the vendor using SMI and hardware lockdown mechanisms. You are locked out already, even though you might not care or know yet. Stefan -- coresystems GmbH • Brahmsstr. 16 • D-79104 Freiburg i. Br. Tel.: +49 761 7668825 • Fax: +49 761 7664613 Email: [EMAIL PROTECTED] • http://www.coresystems.de/ ___ Grub-devel mailing list Grub-devel@gnu.org http://lists.gnu.org/mailman/listinfo/grub-devel
Re: multiboot header error
Here is a sample kernel, built as elf64, that simply refuses to boot. It consists of only two files: boot.S and multiboot.h. It does absolutely nothing and it is a cut-down version of the kernel found at http://www.gnu.org/software/grub/manual/multiboot/multiboot.html#Example-OS-code or in grub-0.97/docs. boot.S: #include "multiboot.h" .text .globl start, _start start: _start: jmp multiboot_entry /* Align 64 bits boundary. */ .align 8 multiboot_header: .long MULTIBOOT_HEADER_MAGIC .long MULTIBOOT_HEADER_FLAGS /* .long -(MULTIBOOT_HEADER_MAGIC + MULTIBOOT_HEADER_FLAGS)*/ multiboot_entry: /* Initialize the stack pointer. */ movq$(stack + STACK_SIZE), %rsp /* Reset EFLAGS. */ pushq $0 popf /* Push the pointer to the Multiboot information structure. */ pushq %rbx /* Push the magic value. */ pushq %rax loop: hlt jmp loop /* Our stack area. */ .comm stack, STACK_SIZE multiboot.h: #define MULTIBOOT_HEADER_MAGIC 0xe85250d6 #define MULTIBOOT_HEADER_FLAGS 0x #define STACK_SIZE 0x4000 Makefile.am: noinst_PROGRAMS = kernel kernel_SOURCES = boot.S multiboot.h kernel_CFLAGS = -fno-builtin -nostdinc -O -g -Wall kernel_LDFLAGS = -nostdlib All i get from GRUB2 is "error: No multiboot header found". I have tried changing the magic number to 0xd65052e8 to make sure i got it ok, but it still doesn't boot. The flags are all zero according to the next version of the Multiboot Spec. The same document doesn't say anything about a checksum in the multiboot header, so i commented it out. What do you think is to blame for this behaviour? Thanks, Constantine ___ Grub-devel mailing list Grub-devel@gnu.org http://lists.gnu.org/mailman/listinfo/grub-devel
Re: TPM chip and Grub bootloader
On Fri, May 25, 2007 at 10:11:03AM -0500, Bruno Wolff III wrote: > On Fri, May 25, 2007 at 11:06:49 +0200, > Patrick Georgi <[EMAIL PROTECTED]> wrote: > > > > As so often, it can be used for, and against the user. Binding certain > > data to a machine (eg. certificates) and making it non-trivial to get at > > them. > > And the way to tell is who has the keys that are stored on the TPM chip. > If it is use, then things are good. If it is someone else, then things > are bad. That's a missconception. It's not the fact that a CA has a master key that makes this system a threat, it's the fact that when someone else has that key, there's no way for the owner to use physical access to become the root of the trust chain and make his own computer sign anything he wants. IOW, no matter who the keys belong to, the problem is there's a component in the hardware I paid for that is hostile to me, which contains keys that I cannot retrieve (good, because of security), and refuses to use the keys on anything I want it to (bad, because it's inherently an abusive tool). That, of course, unless owner override feature is present. Then it's a whole different story. -- Robert Millan My spam trap is [EMAIL PROTECTED] Note: this address is only intended for spam harvesters. Writing to it will get you added to my black list. ___ Grub-devel mailing list Grub-devel@gnu.org http://lists.gnu.org/mailman/listinfo/grub-devel
Re: TPM chip and Grub bootloader
On Fri, May 25, 2007 at 11:06:49AM +0200, Patrick Georgi wrote: > > As so often, it can be used for, and against the user. Do these chips support so-called "owner override" ? If they don't, then this tool contains logic specificaly designed to be used _against_ the user, and your argument that "it can be used for good or bad" doesn't hold: It is not like a hammer, it's like a gun. -- Robert Millan My spam trap is [EMAIL PROTECTED] Note: this address is only intended for spam harvesters. Writing to it will get you added to my black list. ___ Grub-devel mailing list Grub-devel@gnu.org http://lists.gnu.org/mailman/listinfo/grub-devel
patch to allow modelist for gfxterm
Hi All, I am on the road at the moment so this is not polished, but I would like to get comments from you, how it works and what you think about integrating it to cvs. Example: set gfxmode="1024x768;800x600;640x480" And when gfxterm is initialized it would first try out first mode and then second and so on... In order to support wide screens I think those modes would be need to be listed first or otherwise they will fallback to "standard" aspect ratio. Patch should be attached in this message. Thanks, Vesa Jääskeläinen Index: ChangeLog === RCS file: /sources/grub/grub2/ChangeLog,v retrieving revision 1.375 diff -u -r1.375 ChangeLog --- ChangeLog 20 May 2007 09:10:05 - 1.375 +++ ChangeLog 30 May 2007 06:00:57 - @@ -1,3 +1,8 @@ +2007-05-30 Vesa Jaaskelainen <[EMAIL PROTECTED]> + + * term/gfxterm.c (grub_gfxterm_init): Added support for specifying + list of video modes. + 2007-05-20 Robert Millan <[EMAIL PROTECTED]> * util/update-grub_lib.in: New file. Index: term/gfxterm.c === RCS file: /sources/grub/grub2/term/gfxterm.c,v retrieving revision 1.3 diff -u -r1.3 gfxterm.c --- term/gfxterm.c 31 Jul 2006 14:21:35 - 1.3 +++ term/gfxterm.c 30 May 2007 06:00:58 - @@ -202,8 +202,11 @@ if (modevar) { char *tmp; + char *next_mode; + char *current_mode; char *param; char *value; + int mode_found = 0; /* Take copy of env.var. as we don't want to modify that. */ tmp = grub_strdup (modevar); @@ -211,110 +214,216 @@ if (grub_errno != GRUB_ERR_NONE) return grub_errno; - - /* Skip whitespace. */ - while (grub_isspace (*tmp)) -tmp++; - - /* Initialize token holders. */ - param = tmp; - value = NULL; - - /* Parse x[x]*/ - - /* Find width value. */ - value = param; - param = grub_strchr(param, 'x'); - if (param == NULL) + + /* Initialize next mode. */ + next_mode = modevar; + + /* Loop until all modes has been tested out. */ + while (next_mode != NULL) { - /* Free memory before returning. */ - grub_free (modevar); - return grub_error (GRUB_ERR_BAD_ARGUMENT, - "Invalid argument: %s\n", - param); -} + /* Use last next_mode as current mode. */ + tmp = next_mode; + + /* Reset video mode settings. */ + width = DEFAULT_VIDEO_WIDTH; + height = DEFAULT_VIDEO_HEIGHT; + depth = -1; + flags = DEFAULT_VIDEO_FLAGS; + + /* Save position of next mode and separate modes. */ + next_mode = grub_strchr(next_mode, ';'); + if (next_mode) +{ + *next_mode = 0; + next_mode++; +} - *param = 0; - param++; + /* Skip whitespace. */ + while (grub_isspace (*tmp)) +tmp++; + + /* Initialize token holders. */ + current_mode = tmp; + param = tmp; + value = NULL; - width = grub_strtoul (value, 0, 0); - if (grub_errno != GRUB_ERR_NONE) -{ - /* Free memory before returning. */ - grub_free (modevar); - return grub_error (GRUB_ERR_BAD_ARGUMENT, - "Invalid argument: %s\n", - param); -} + /* Parse x[x]*/ - /* Find height value. */ - value = param; - param = grub_strchr(param, 'x'); - if (param == NULL) -{ - height = grub_strtoul (value, 0, 0); - if (grub_errno != GRUB_ERR_NONE) + /* Find width value. */ + value = param; + param = grub_strchr(param, 'x'); + if (param == NULL) { + grub_err_t rc; + + /* First setup error message. */ + rc = grub_error (GRUB_ERR_BAD_ARGUMENT, +"Invalid mode: %s\n", +current_mode); + /* Free memory before returning. */ grub_free (modevar); - return grub_error (GRUB_ERR_BAD_ARGUMENT, - "Invalid argument: %s\n", - param); + + return rc; } -} - else -{ - /* We have optional color depth value. */ + *param = 0; param++; - height = grub_strtoul (value, 0, 0); + width = grub_strtoul (value, 0, 0); if (grub_errno != GRUB_ERR_NONE) { + grub_err_t rc; + + /* First setup error message. */ + rc = grub_error (GRUB_ERR_BAD_ARGUMENT, +