Hello, I've been working on adding PECOFF/kernel signature verification to tboot and now that I have a rough working prototype I wanted to bring it to the list to see if this is something the tboot community would be interested in eventually merging (once the work is more complete and polished).
The patchset is quite large, mostly due to the inclusion of libtomcrypt and libtomfastmath to the tboot repository, so I'm going to refrain from spamming the list with the full patchset at this early stage. The current patchset can be found on GitHub at the URL below (look in the "working-txtsig" branch): * https://github.com/pcmoore/misc-tboot/tree/working-txtsig The prototype doesn't actually enforce any policy or change the PCR measurements based on the kernel signatures (both are planned work items), but it does demonstrate the ability to parse and verify a signed PECOFF image. The individual patch descriptions provide some additional information on some of the planned work to take this from a prototype to a proper implementation. My motivation for this work is to create a mechanism that is capable of generating a stable set of PCR values across multiple kernels that can be used to seal TPM NVRAM secrets on both legacy BIOS and UEFI systems. Imagine being able to store a storage encryption key in the TPM, and restricting access to that key to only authorized kernels in such a way that didn't require changing the tboot policy when booting different kernels. I imagine I'm not along in thinking this would be a nice capability to have, especially on systems that don't support UEFI Secure Boot. For those who are interested, I gave a presentation on this work at the Linux Security Summit last month, the video and sldies are available at the links below: * https://www.youtube.com/watch?v=Qbjz_5jUE9o * https://www.paul-moore.com/docs/lss-securing_tpm_with_txt-pmoore-201909-r2.pdf Thoughts? Is this capability something the TXT/tboot community would be interested in merging into the main tboot repository once it is more complete? _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
