> From: Jonathan McCune [mailto:jonmcc...@cmu.edu] > Sent: Wednesday, June 15, 2011 7:16 AM > > Some quick and dirty thoughts inline... > > > 1. Using tboot or a TPM (on the motherboard), is it possible to have a > > dual boot system where both OSes boot in trusted mode? If so, how is > > that configured? > > Almost certainly, though it depends on your definition of "trusted mode". If > you just want > "authenticated boot" where the OS that boots gets measured, then yes. If you > want to try to > "enforce" that any OS that boots must be one of these 2 OSes, the set of > assumptions on which > those properties depend grows considerably. Sorry I don't have time to get > into more detail > presently. > > > 2. Can tboot or a TPM (on the motherboard) enable trusted boot of a > > USB device? If so, how is that configured? > > I suspect so. This would have more to do with the configuration of the > bootloader (e.g., grub) > than with tboot.
In the case of a static root of trust (S-RTM) (i.e. TPM w/o TXT), the USB device is just another boot medium and whatever the bootloader on it, it will be measured into PCR 4. I do believe that the spec also requires the BIOS to extend something that indicates what boot medium was chosen, so you would end up with different PCRs even if you booted the same code as from an HDD. In the case of TXT w/ tboot, since tboot is loaded by the bootloader, it is not aware of which device it was booted from. So the D-RTM measurements will be the same as long as what is being launched is the same. > > 3. If I were able to set up a USB device (with a controlled bootable > > image) for trusted boot... if the primary hard disk OS was not to boot > > in trusted mode how would these be configured? > > Again, this sounds like a BIOS (boot device priority) / bootloader > configuration. tboot should be > able to work under these conditions, though I haven't tried it. Tboot runs just fine from a USB (or CD). You can look at any number of instructions for building a Linux live image and just add tboot as you would for a HDD boot. > > 4. Is it possible to buy TPM chips? If so, through whom? Through whom > > might I get one for eval/prototype purposes? > > It is. The easiest way is to buy a PC / laptop that already includes one, > but individual chips > are available on daughter cards with an LPC bus interface. DigiKey is one > such company that sells > them: > http://search.digikey.com/scripts/DkSearch/dksus.dll?Cat=2556771&k=tpm > > Note that most PCs don't include the relevant connector but I believe adapter > cards are available. All Intel(R) vPro(TM) systems have TPMs (and TXT). > > Athough tboot is very useful, my questions relate to a potential > > project that requires use of a TPM chip. > > Folks on this list have been kind with respect to discussion of a related > project of mine, so > hopefully they'll put up with this one too. :) > > Regards, > -Jon > > ------------------------------------------------------------------------------ > EditLive Enterprise is the world's most technically advanced content > authoring tool. Experience > the power of Track Changes, Inline Image Editing and ensure content is > compliant with > Accessibility Checking. > http://p.sf.net/sfu/ephox-dev2dev > _______________________________________________ > tboot-devel mailing list > tboot-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/tboot-devel ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
