Thank you for your reply.
I am new to tboot, now in the process of designing our own PoC around it.
I am also only a user (sorry for invading your -devel list) but so far I can
point to those areas for improvement from my perspective:
1) documentation
- examples! (gentoo wiki is a prime example of how it can organically
work, not sure if tboot community is large enough and NDA-less for it to work,
though).
- some better docs for policy tools!
For example
man page of lcp_crtpolelt:
[--ctrl pol-elt-ctr1] PolEltControl field (hex or decimal)
Now try googling "PolEltControl" :) or perhaps I'm not supposed to care about
that? :)
(other tools have --ctrl parameter as well, and I have no idea about those
either)
Also, this seems to be a common theme to things TCG-related, like TPM. I
actually have to revert to ordering real books from Amazon to get any
real-world information it seems.
Or for example better introduction to tboot's own policy (what it does, how it
relates to LCP, when it is useful and when not - I confess that I'm confused)
There's more, but I'm still learning so I'll ask after reading the TCG specs
and other docs again in case if missed something.
2) Some utility to decode the SINIT error codes (since you're from Intel... :)
I tried decoding them but my sinit is ancient, and the error codes are not
listed for it anywhere
3) Better error reporting
Took me a while before I found out I don't have the necessary NVRAM indexes,
the error message was not helpful.
This was because I tried copy&pasting an example that ommited creating those
areas, now it feels natural once I figured (almost) how some things work, but
for someone new this might be an unnecessary obstacle. I guess it comes back to
documentation...
Btw I am looking for a consultant ($, but not big $$$ for now :), preferably
someone with knowledge about TPM, TXT (or any form of measured/verified/trusted
launch), and possibly SED drives. It's a sad reality that everyone around me
never used UEFI apart from reinstalling Windows on a gf's laptop, and TPM is
synonymous with "smartcard"...
My goal is to have the OS installed on SED drives that get decrypted by a key
sealed by TPM to specific PCRs (attesting that my vmlinuz/initramfs are
running) to prevent copying the installation and tampering ("integrity" comes
by "proof of decryption" in my current scenario). Sounds simple in theory but I
get stopped by me not having the knowledge, nobody around me having the
knowledge and google refusing to find the knowledge. Also, all vendors are
surprisingly clueless about any of this(?!) and all focus seems to be on
workstations.
Is there someone who might be able to help me on this?
Thanks
Jan
> On 18 Apr 2016, at 18:31, Sun, Ning <ning....@intel.com> wrote:
>
> Hi Jan,
>
> Thanks for your email, currently tboot works with grub on both UEFI and
> legacy platforms.
> Meanwhile, we are working on a PoC of UEFI 64 bit tboot, which will support
> multiple usages including what you mentioned in your email.
> As this work is non-trivial, any suggestions/proposals are welcome!
>
> Thanks,
> -Ning
>
> -----Original Message-----
> From: Jan Schermer [mailto:j...@schermer.cz]
> Sent: Monday, April 18, 2016 4:59 AM
> To: tboot-devel@lists.sourceforge.net
> Subject: [tboot-devel] booting tboot directly as EFI STUB?
>
> Hello,
> is it possible to add support for loading tboot directly instead of using
> GRUB, in the same way Linux kernel supports it?
> https://www.kernel.org/doc/Documentation/efi-stub.txt
>
> This would greatly simplify the setup of tboot and remove one unnecessary
> component (grub) which presents a quite large attack surface.
>
> This way tboot would get measured by BIOS directly into CRTM, and we could
> immediately follow DRTM from here...
> And I could maybe sign the tboot binary for Secure Boot instead of using
> poorly-documented GRUB :-)
>
> Thanks
>
> Jan
>
>
>
> ------------------------------------------------------------------------------
> Find and fix application performance issues faster with Applications Manager
> Applications Manager provides deep performance insights into multiple tiers
> of your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> _______________________________________________
> tboot-devel mailing list
> tboot-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/tboot-devel
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
