[tboot-devel] Questions about LCP x VLP

Fri, 29 Apr 2016 03:33:00 -0700 

Hello,
can someone confirm my understanding and clarify my questions, please?

1) Launch control policy
        - protects tboot integrity (MLE)
        - can limit boot to certain PCRs
        - can I have multiple generations of LCPs if I need to upgrade tboot or 
change a PCR?

>From my understanding, if I use an empty signed policy, I can have multiple 
>policy data files signed by the same key with different policies. Is that so? 
>Does it work in practice?

2) Verified launch policy (tboot)
        - verifies "modules" (usually vmlinuz, initramfs) and measures them 
into PCRs of my choosing
        - limits boot to modules in the policy
                - does it? Can a platform contain some default policy that 
would allow circumventing this lock?
        - needs to be written to NVRAM on every change
                - I don't like this much, I'd prefer a mechanism like Secure 
Boot where I'd put my CA key in the VLP and whatever is signed gets booted, and 
the CA key would be extended into PCR18 for example. Is something like this 
possible?

3) I the end I need to be able to unseal data only in the TXT environment when 
my OS is booted, and I'd like to avoid resealing the secrets to every new VLP 
module combinations

Can I simply seal the data to only PCR 17 then?
To break the seal someone would need to either
a) know the TPM password and change the VLP to boot another OS
b) reset the TPM in BIOS
        - but this should clear the old SRK, os my sealed data can't be 
unsealed anymore - can I rely on this?
c) some other attack vector I'm not aware of?
        - OS will be encrypted so that vector is not possible

Thanks

Jan
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel

Reply via email to