Re: [tboot-devel] [ANNOUNCE] Boot Security microconf at Linux Plumbers Conf, Sep 9-11
Notes from the LPC session are available: https://etherpad.net/p/LPC2019_System_Boot_and_Security/export/html There will be DRTM-related talks at PSEC 2019, Oct 1-3 in Redmond: https://platformsecuritysummit.com Rich > On Jul 22, 2019, at 10:48, Rich Persaud wrote: > > https://www.linuxplumbersconf.org/blog/2019/system-boot-and-security-microconference-accepted-into-2019-linux-plumbers-conference/ > > System Boot and Security Microconference has been accepted into the 2019 > Linux Plumbers Conference! Computer-system security is a topic that has > gotten a lot of serious attention over the years, but there has not been > anywhere near as much attention paid to the system firmware. But the firmware > is also a target for those looking to wreak havoc on our systems. Firmware is > now being developed with security in mind, but provides incomplete solutions. > This microconference will focus on the security of the system especially from > the time the system is powered on. > > Expected topics for this year include: > > TPMs > SRTM and DRTM > Intel TXT > AMD SKINIT > Attestation > UEFI Secure Boot > IMA > Intel SGX > Boot loaders > Firmware > OpenBMC > ___ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
[tboot-devel] [ANNOUNCE] Boot Security microconf at Linux Plumbers Conf, Sep 9-11
https://www.linuxplumbersconf.org/blog/2019/system-boot-and-security-microconference-accepted-into-2019-linux-plumbers-conference/ System Boot and Security Microconference has been accepted into the 2019 Linux Plumbers Conference! Computer-system security is a topic that has gotten a lot of serious attention over the years, but there has not been anywhere near as much attention paid to the system firmware. But the firmware is also a target for those looking to wreak havoc on our systems. Firmware is now being developed with security in mind, but provides incomplete solutions. This microconference will focus on the security of the system especially from the time the system is powered on. Expected topics for this year include: TPMs SRTM and DRTM Intel TXT AMD SKINIT Attestation UEFI Secure Boot IMA Intel SGX Boot loaders Firmware OpenBMC ___ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
[tboot-devel] tboot test coverage
What's the best open-source test suite to compare multiple versions of tboot on one device, or one version of tboot on multiple devices? This comparison is helpful to differentiate between hardware, firmware and tboot issues. Rich ___ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
Re: [tboot-devel] readme on tboot
> On Jan 11, 2019, at 11:42, Mat wrote: > > Can anyone else explain in simple words the difference between Secure boot > and Trusted boot. UEFI Secure Boot has roots in the Microsoft PC ecosystem, it was later adapted to Linux, see Matthew Garrett's blog: http://mjg59.dreamwidth.org/9844.html and Bootlin ELC 2018 slides: https://bootlin.com/pub/conferences/2018/elc/josserand-schulz-secure-boot/josserand-schulz-secure-boot.pdf Here is my intro to trusted boot, but Greg's explanation is more approachable (it would make a good article!): https://www.linux.com/blog/event/elce/2017/10/device-we-trust-measure-twice-compute-once-xen-linux-tpm-20-and-txt You could also watch some talks on boot integrity, e.g. Hudson, Smith: https://www.platformsecuritysummit.com/2018/topic/boot/ Rich___ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
Re: [tboot-devel] Platform Security Summit 2018
> On May 1, 2018, at 20:33, Rich Persaud wrote: > > PSEC 2018 brings together security researchers and developers from the > open-source ecosystems of OpenEmbedded, Xen Project and OpenXT, including > presentations on measured launch, UEFI and TPM 2.0. > > With a focus on hardware-based security and commercially extensible open > source, this 2-day, single track event is for hardware and firmware > engineers, VMM and OS developers, security architects, integrators and senior > technical staff. Boot integrity talks from Bromium, Dell, Intel, Oracle and others have been posted: https://www.platformsecuritysummit.com/2018/topic/boot/ Rich-- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
[tboot-devel] Platform Security Summit 2018
PSEC 2018 brings together security researchers and developers from the open-source ecosystems of OpenEmbedded, Xen Project and OpenXT, including presentations on measured launch, UEFI and TPM 2.0. With a focus on hardware-based security and commercially extensible open source, this 2-day, single track event is for hardware and firmware engineers, VMM and OS developers, security architects, integrators and senior technical staff. Presentation abstracts, technical references and registration details are available at https://platformsecuritysummit.com Rich -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
[tboot-devel] Fwd: CFP: Platform Security Summit 2018: OpenXT, Xen Project and OpenEmbedded
OpenXT uses tboot with Linux and Xen. This May 2018 event will have several attendees and speakers who are working with TPM, TXT and measured launch [1]. Rich [1] https://www.linux.com/blog/event/elce/2017/10/device-we-trust-measure-twice-compute-once-xen-linux-tpm-20-and-txt Begin forwarded message: > From: Rich Persaud <pers...@gmail.com> > Date: March 12, 2018 at 01:58:35 EDT > To: meta-virtualizat...@yoctoproject.org > Subject: CFP: Platform Security Summit 2018: OpenXT, Xen Project and > OpenEmbedded > > If you are working on commercial, academic or open-source projects which use > OpenXT, Xen Project or OpenEmbedded to implement platform components with > well-defined security properties, you are invited to present at Platform > Security Summit 2018, which will take place on May 23-24 in Fairfax, VA, USA. > > Topics of interest include: > > - Virtualization-based isolation of open, proprietary and restricted code > - Architecture for disaggregation of Xen-based systems > - Mixed-criticality system design, testing and safety certification > - Scheduling, hardware partitioning and hypervisor nesting > - Xen PVH, PCI passthrough, PV-IOMMU, Qemu disaggregation > > - Hardware-rooted security technologies (e.g. TPM, TEE, SGX) > - Measured launch, DRTM and SRTM deployment models > - Stateless VMs and unikernels with OpenEmbedded > - Reproducible, cross-compiled builds with OpenEmbedded > - Spectre/Meltdown mitigations, performance & security > > - Inter-VM and Multi-Hypervisor Communication > - Networking technologies for mutually trusting systems > - Mandatory Access Control (e.g. SE Linux, Xen Security Modules) > - Fuzzing of Xen, OpenEmbedded and platform firmware > - GPU and co-processor virtualization > > The 2-day event will have a single track of presentations and discussions. > There is no cost to attend, but space will be limited. If you would like to > present or attend, please respond to this message by Friday, 31st March, > stating your organization name and topics of interest. > > Rich -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
Re: [tboot-devel] TXT SINIT ACM failure on power-cycling node
These are very likely to be OEM BIOS bugs - if you escalate to your server OEM, they can create fixes. We started testing TXT on enterprise clients almost 10 years ago. It took a while for OEMs (Dell, Lenovo, HP) to roll out TXT fixes, but they all did eventually. Server and workstation TXT may need a similar test-fix-test cycle. OEMs sometimes don't have an easy way to repro TXT issues, which is why the industry needs an open-source test suite for SRTM and DRTM. Now that Windows 10 is adding DRTM features, OEM testing of TXT will hopefully improve. Each separate customer report will help TXT fixes to be prioritized, especially when the issue is easy to repro. Rich > On Feb 26, 2018, at 16:59, Jan Schermer <j...@schermer.cz> wrote: > > My HP z240 workstation occassionaly refuses to boot at all if I yank out the > power cable while in TXT mode. > Solution: leave power disconnected for >5 minutes, then reset BIOS (yes, > really). > > I had similiar issues with Lenovo system. > > I don’t think OEMs test anything... > > Jan > >> On 26 Feb 2018, at 22:52, Rich Persaud <pers...@gmail.com> wrote: >> >> On TXT-enabled vPro client devices (e.g. Dell 7040) that have been tested >> with OpenXT, Xen and OpenEmbedded measured launch [1], if you use the >> hardware power switch to perform a non-graceful shutdown of an operating >> system that was booted with TXT, the following will occur: >> >> (a) User presses hardware power button to turn on the device. >> (b) Device powers on for a few seconds, then powers back off (TXT reset). >> (c) User presses hardware power button to turn on the device. >> (d) Device powers on normally, OS successfully completes measured launch. >> >> Your issue sounds like a device-specific OEM BIOS defect, have you tried >> contacting the OEM? Does it happen on servers from a different OEM? Which >> CPU generation? >> >> If there is interest in collaborating on OE/Yocto layers for TXT, TPM, >> SecureBoot, we can arrange a conference call or ELC BoF. >> >> Rich >> >> [1] >> https://openxt.atlassian.net/wiki/spaces/DC/pages/81035265/Measured+Launch+SRTM+and+DRTM >> >> >>> On Feb 22, 2018, at 15:54, Nasim, Kam <kam.na...@windriver.com> wrote: >>> >>> Hi folks, >>> >>> We’ve been trying to integrate Tboot in our Boot sequence and have it >>> working fine for the most part. We specify a default ANY Launch Control >>> Policy (LCP) as main intention is to capture boot measurements in TPM PCRs >>> and not really enforce a boot halt action. >>> >>> I noticed that when I power cycle the node or any other kind of >>> non-graceful restart, it stops at the Boot menu with the following Error: >>> >>> Message >>> An issue is observed in the previous invocation of TXT SINIT Authenticated >>> Code Module (ACM) because the TXT information stored in the TPM chip may be >>> corrupted. >>> Detailed Description >>> An issue in observed in the previous invocation of TXT SINIT Authenticated >>> Code Module (ACM) because the TXT information stored in the TPM chip may be >>> corrupted. >>> Recommended Response Action >>> Do one of the following: 1) Update the BIOS firmware. 2) Go to System Setup >>> > System Security page, click the "Clear" option under TPM command. Restart >>> the system, go to System Setup > System Security page, click the "Activate" >>> option under TPM command, and then enable TXT. >>> >>> >>> I am able to continue past this but was wondering if there is any way to >>> disable this. We don’t want to be manually doing this for all of our >>> servers after a Power Cycle event. >>> >>> Have others seen this? Is this a form of corruption in the ACM? How do I >>> flush that state on a power cycle? >>> >>> >>> Thanks, >>> Kam >>> -- >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> ___ >>> tboot-devel mailing list >>> tboot-devel@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/tboot-devel >> -- >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! >> http://sdm.link/slashdot___ >> tboot-devel mailing list >> tboot-devel@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/tboot-devel > -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel