Re: Value of eax register after BIOS interrupt call from boot(8)

2019-11-09 Thread Julius Zint
> > Index: arch/amd64/stand/libsa/gidt.S > === > RCS file: /cvs/src/sys/arch/amd64/stand/libsa/gidt.S,v > retrieving revision 1.11 > diff -u -p -u -r1.11 gidt.S > --- arch/amd64/stand/libsa/gidt.S 27 Oct 2012 15:43:42 -

Value of eax register after BIOS interrupt call from boot(8)

2019-11-07 Thread Julius Zint
Hi misc, the following code snipped is from sys/arch/amd64/stand/libsa/gidt.S /* pass BIOS return values back to caller */ movl%eax, 0xb*4(%esp) movl%ecx, 0xa*4(%esp) movl%edx, 0x9*4(%esp) movb%bh , 0xe*4(%esp) /* clear NT flag in eflags */ /* Martin Fredriksson */ pushf pop

Trusted Boot with OpenBSD

2020-02-24 Thread Julius Zint
As part of my master thesis i wrote code to enable a trusted boot with OpenBSD. This short manual is for everyone who wants to try it. Feedback on the code and the feature itself is also appreciated. Requirements: 1: OpenBSD 6.5 (might also work with 6.6 but only tested with 6.5) 2:

Re: Full disk encryption including /boot, excluding bootloader?

2020-02-17 Thread Julius Zint
> I'm not really in a position to reflash my machine but I would still be > curious for details. There is no need to reflash your firmware if the system has a integrated and supported TPM 1.2 chip. The prototype uses a Static Root of Trust for Measurment (SRTM) approach where the Chain of

Re: Full disk encryption including /boot, excluding bootloader?

2020-02-18 Thread Julius Zint
> Are there any downsides though? For example, would resume from > hibernation still work for such a setup? It should work with hibernation without any problems, but i did not test this extensively. > > More so, for the less knowledgeable of us, how does this relate to > UEFI's "Secure

Re: Full disk encryption including /boot, excluding bootloader?

2020-02-17 Thread Julius Zint
> > If an evil made came by and got access to my machine, they would still > be able to tamper with the bootloader code to harvest the FDE password > when I returned. > > I want to put the whole bootloader (including the code used to decrypt > the softraid-FDE-encrypted

Re: Trusted Boot with OpenBSD

2020-03-26 Thread Julius Zint
>> I can't tell from the instructions how the FDE encryption key is stored -- >> do we manually seal it to the TPM and then manually unseal and copy/paste it >> every time we boot? Or is it assumed the user will write a script to handle >> this -- a script which itself will have to be