On Thu, 2019-09-19 at 15:39 +0000, Paul Moore (pmoore2) via tboot-devel wrote: > Hello, > > I've been working on adding PECOFF/kernel signature verification to > tboot and now that I have a rough working prototype I wanted to bring > it to the list to see if this is something the tboot community would > be interested in eventually merging (once the work is more complete > and polished). > > The patchset is quite large, mostly due to the inclusion of > libtomcrypt and libtomfastmath to the tboot repository, so I'm going > to refrain from spamming the list with the full patchset at this early > stage. The current patchset can be found on GitHub at the URL below > (look in the "working-txtsig" branch): > > * https://github.com/pcmoore/misc-tboot/tree/working-txtsig >
I've updated the working-txtsig branch with a number of fixes relating to the ASN.1/PKCS parsing code as well as improved signing/hash algorithm support (previously limited to SHA256) and the ability to verify kernels using variable length certificate chains (previously limited to the immediate signer). Work on adding certificate support to the tboot launch control policy is ongoing (it's the next major work item), but the prototype contains a hard coded Fedora CA which should be able to verify any modern Fedora kernel. Just as before, if you have any questions, concerns, or feedback please get in touch on-list or privately. I'll be giving an updated presentation on this effort at the Linux Security Summit EU later this month, if you are in the area please stop by and introduce yourself - I'd love to talk about TXT/tboot! https://events19.linuxfoundation.org/events/linux-security-summit-europe-2019 Thanks, -Paul _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
