Hi! I think I might have run into some bugs, but so far I blame myself and not the platform.
My primary test tool was a Thinkpad T510 with vPro (not really a new machine), and it worked well enough for trying out TPM, figuring out how PCRs behave (on this platform only of course) and testing SED functionality on a SSD. When I went to try tboot it booted without problem until I wrote LCP policy into NVRAM -> bootloop. I have a movie of the boot sequence if anyone is interested. I'm going to try on HP DL160 Gen9 with TPM soon, let's see how that works, I still assume I don't know what I'm doing so I'm not pointing fingers at the platform yet. >From what I gather Intel is pretty good at producing great tech, but poor at >marketing it - I've been working as a sysadmin (with some curiosity in sec) >for 17 years and I also thought TPM was a "smartcard" and that TXT is some >sort of NX bit extension. Oh how wrong I was. Even worse, my peers have no >idea either! Let's hope TXT will be around for a while before they deprecate it, not sure what Intel's track record is in this area... I actually had a meeting with Intel representative last week and he tried pushing TXT for attestation (since that was his understading of my needs until then). My feeling is they are serious about it - after all it's what openstack attestation service uses (right?), vmware, hytrust, mcaffee - I'm not implying there's any security in it, but it's cheap compliance proof for those that need that kind of thing. Jan > On 19 Apr 2016, at 00:58, Dr. Greg Wettstein <g...@wind.enjellic.com> wrote: > > On Apr 18, 8:55pm, Jan Schermer wrote: > } Subject: Re: [tboot-devel] booting tboot directly as EFI STUB? > > Good afternoon, I hope this note finds the day going well for > everyone. > >>>> -----Original Message----- >>>> From: Jan Schermer [mailto:j...@schermer.cz] >>>> Sent: Monday, April 18, 2016 4:59 AM >>>> To: tboot-devel@lists.sourceforge.net >>>> Subject: [tboot-devel] booting tboot directly as EFI STUB? >>>> >>>> Hello, >>>> >>>> is it possible to add support for loading tboot directly instead >>>> of using GRUB, in the same way Linux kernel supports it? >>>> https://www.kernel.org/doc/Documentation/efi-stub.txt >>>> >>>> This would greatly simplify the setup of tboot and remove one >>>> unnecessary component (grub) which presents a quite large attack >>>> surface. >>>> >>>> This way tboot would get measured by BIOS directly into CRTM, >>>> and we could immediately follow DRTM from here... And I could >>>> maybe sign the tboot binary for Secure Boot instead of using >>>> poorly-documented GRUB :-) >>> >>> On 18 Apr 2016, at 18:31, Sun, Ning <ning....@intel.com> wrote: >>> >>> Hi Jan, >>> >>> Thanks for your email, currently tboot works with grub on both >>> UEFI and legacy platforms. Meanwhile, we are working on a PoC of >>> UEFI 64 bit tboot, which will support multiple usages including >>> what you mentioned in your email. As this work is non-trivial, >>> any suggestions/proposals are welcome! >>> >>> Thanks, >>> -Ning >>> >> Thank you for your reply. >> >> I am new to tboot, now in the process of designing our own PoC >> around it. >> >> I am also only a user (sorry for invading your -devel list) but so >> far I can point to those areas for improvement from my perspective: >> >> 1) documentation >> >> - examples! (gentoo wiki is a prime example of how it can >> organically work, not sure if tboot community is large enough and >> NDA-less for it to work, though). >> >> - some better docs for policy tools! >> For example >> man page of lcp_crtpolelt: >> [--ctrl pol-elt-ctr1] PolEltControl field (hex or decimal) >> >> Now try googling "PolEltControl" :) or perhaps I'm not supposed to >> care about that? :) (other tools have --ctrl parameter as well, and >> I have no idea about those either) >> >> Also, this seems to be a common theme to things TCG-related, like >> TPM. I actually have to revert to ordering real books from Amazon to >> get any real-world information it seems. >> >> Or for example better introduction to tboot's own policy (what it >> does, how it relates to LCP, when it is useful and when not - I >> confess that I'm confused) There's more, but I'm still learning so >> I'll ask after reading the TCG specs and other docs again in case if >> missed something. >> >> 2) >> >> Some utility to decode the SINIT error codes (since you're from >> Intel... :) I tried decoding them but my sinit is ancient, and the >> error codes are not listed for it anywhere >> >> 3) Better error reporting >> >> Took me a while before I found out I don't have the necessary NVRAM >> indexes, the error message was not helpful. This was because I >> tried copy&pasting an example that ommited creating those areas, now >> it feels natural once I figured (almost) how some things work, but >> for someone new this might be an unnecessary obstacle. I guess it >> comes back to documentation... >> >> Btw I am looking for a consultant ($, but not big $$$ for now :), >> preferably someone with knowledge about TPM, TXT (or any form of >> measured/verified/trusted launch), and possibly SED drives. It's a sad >> reality that everyone around me never used UEFI apart from >> reinstalling Windows on a gf's laptop, and TPM is synonymous with >> "smartcard"... >> >> My goal is to have the OS installed on SED drives that get decrypted >> by a key sealed by TPM to specific PCRs (attesting that my >> vmlinuz/initramfs are running) to prevent copying the installation and >> tampering ("integrity" comes by "proof of decryption" in my current >> scenario). Sounds simple in theory but I get stopped by me not having >> the knowledge, nobody around me having the knowledge and google >> refusing to find the knowledge. Also, all vendors are surprisingly >> clueless about any of this(?!) and all focus seems to be on >> workstations. >> >> Is there someone who might be able to help me on this? >> >> Thanks >> Jan > > TXT/tboot is a bit of a bodge right now. So much so that we have put > the question directly to Intel as to whether or not they are serious > about the platform. > > Based on the description of what you are doing I suspect you haven't > even started to run into the bugs yet.... :-)( > > We design and build high security assurance platforms directly on top > of TXT/tboot up to and including deterministic modeling of platform > behavior. You can find a link on the following page which points to a > presentation of ours which provides a good summary of the type of > engineering that we do: > > http://kernsec.org/wiki/index.php/Linux_Security_Summit_2015/Schedule > > We can provide whatever engineering your project would need if it > would make mutual sense. > > We will follow up under separate cover. > > Have a good evening. > > Greg > > }-- End of excerpt from Jan Schermer > > As always, > Dr. Greg Wettstein, Ph.D, Worker > IDfusion, LLC > 4206 N. 19th Ave. Implementing measured information privacy > Fargo, ND 58102 and integrity architectures. > ------------------------------------------------------------------------------ > "Umm.. the developers behind Flame were able to hijack Windows update, > gain access to a Microsoft code signing and website signing key while > staying undetected in the wild for at least 2+ years. > > But System Restore 2.0 is going to stop them? Your average piece of > malware can survive a system restore..." > -- Slashdot > > -- ------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
