If you have the hashes, you can verify them using TPM Quote Tools <http://tpmquotetools.sourceforge.net/>. It is packaged for Fedora, so if you are using it, you can install the package with "sudo yum install tpm-quote-tools".
John David Li <[email protected]> writes: > Hi Luigi, > > Thanks for the link. It's very interesting. > > My case might be different from Chromium. I don't have control over > the firmware (uEFI + option ROMs + bootloader) on the board. The > vendor did all the hashes using CRTM as root of trust and stored them > in the TPM PCRs. So that's my starting point assuming you trust all > the hashes inside. I don't have a requirement to do any verification > post-firmware yet. > > So my problem is how to securely verify those hash values against the > "known good ones". The know good ones are those that are provided by > the board vendor before product shipping and I have to trust. I am > trying to detect any tampering of those in the field by using TPM. > > Since I don't control the firmware, I have no way to store the know > good hashes (e.g for boot loader) inside a verified firmware. I can > certainly store them off board in a secure location. But I also heard > you can store them inside the TPM too. > > David ------------------------------------------------------------------------------ _______________________________________________ TrouSerS-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-users
