If you haven't done it, take a look at how secure boot is done in Chrome OS. I think it addresses all the right issues.
http://www.chromium.org/chromium-os/chromiumos-design-docs/verified-boot It turns out the TPM isn't really used (other than peripherally as NV storage to protect against OS version rollback). The important thing is to establish a "chain of trust" so that at any stage you can trust the software that's verifying the next stage. Luigi (Chrome OS Kernel Team) On Tue, Oct 21, 2014 at 10:36 AM, David Li <[email protected]> wrote: > My goal is to use TPM to perform system boot integrity checks. My server's > UEFI > firmware can extend PCRs with hash values on the firmware modules along the > boot chain. > So this is what I have to base upon. > > As I am researching how to do this securely, I came upon some questions: > > 1. I understand that I will need to create an AIK (a RSA pair) to sign the > PCRs. Can I create an Privacy CA to issue certificate on the AIK I created? > Do I also need the TPM manufacturer's EK certificate in this process? > Another question is how this signing process accomplished? Is it > automatically done by the TPM or an external piece software does it upon > bootup is done? > > 2. In order to compare the real-time measured PCR values to "known good > ones", where do I store the "known good values" to start with? I can think > of two places: one is inside the TPM somewhere and the other is outside the > TPM in a remote secure location. What's the recommendation? > > 3. Can this check be accomplished by using commands in tpm_tools? Or will I > have to use Trousers C APIs to program? > > > > > Thanks. > > > > ------------------------------------------------------------------------------ > Comprehensive Server Monitoring with Site24x7. > Monitor 10 servers for $9/Month. > Get alerted through email, SMS, voice calls or mobile push notifications. > Take corrective actions from your mobile device. > http://p.sf.net/sfu/Zoho > _______________________________________________ > TrouSerS-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/trousers-users > ------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho _______________________________________________ TrouSerS-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-users
