Hi,
I'm designing a trusted platform for an embedded device and I hit a roadblock
with trusted OS updates. Here is an example:
- our system consists of two components that may need upgrade - operating
system and system software.
- the system software is stored as an encrypted archive and decryption key is
sealed with values of several PCR registers.
- the system software is responsible for upgrading itself and operating system.
- when new OS image downloaded and verified by system software the encryption
key need to be re-sealed with "EXPECTED" PCR values after system reboots.
Essentially the encryption key needs to be "unsealed" in the currently running
environment and "sealed" with expected values of PCR registers that can be easy
calculated at that time.
So, would it be possible to add an option to tpm_sealdata in order to seal data
with arbitrary values of PCR registers? I think the command line syntax may be
extended to something like "{-p|--pcr} NUMBER:SHA1_HEX_STRING", so if no
":SHA1_HEX_STRING" is provided then value of the register is used, otherwise
use the provided value.
What do you guys think? Is this possible?
Regards,
-Dmitri
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
