Dne 15.1.2017 v 3:38 Simon J. Gerraty napsal(a):
> Johannes Lundberg wrote:
>> https://wiki.freebsd.org/SecureBoot
>>
> Interested in this too - though for proprietary systems where we have
> control over BIOS. The design should hopefully accommodate both.
>
> In particular any plan for how the loader would verify kernel and any
> pre-loaded modules, and kernel verify init.
> Hopefully allowing for regular update of sining keys.
>
To work correctly, there are requirements to use TPM 1.2, hard disk
drive support Opal 2.1 standard and the Intel TXT. Shim is only part of
secure boot, because can be easily defeated without the rest.
https://www.kernel.org/doc/Documentation/intel_txt.txt
https://software.intel.com/en-us/blogs/2012/09/25/how-to-enable-an-intel-trusted-execution-technology-capable-server
http://www.intel.com/content/dam/www/public/us/en/documents/guides/intel-txt-software-development-guide.pdf
http://www.intel.com/content/dam/www/public/us/en/documents/white-papers/trusted-execution-technology-security-paper.pdf
http://www.intel.com/technology/security/downloads/TrustedExec_Overview.pdf
http://www.intel.com/technology/security/downloads/arch-overview.pdf
signature.asc
Description: OpenPGP digital signature
