Open tlaurion opened 1 year ago
It should probably be added to either https://osresearch.net/ about section or https://osresearch.net/Keys/
@maltfield just read your article at https://tech.michaelaltfield.net/2023/02/16/evil-maid-heads-pureboot/
Two small corrections there.
On t440p (and other Haswell based platforms), bootblock is possible to be made part of IBB and measured by ACM blob to populate PCR0 with IBB measurements. Since bootblock is where first measurement (extend op to TPM), faking measurements inside of coreboot (PCR2 only) to get PCR 0-4 measurements sealed into TOTP/HOTP would become extensively complicated to replay.
Also
@maltfield: Any simplification you would suggest on the OP here that should be part of main documentation for seal/unseal/extend operations for end users?
Librem key is a rebranded nitrokey pro, not nitrokey storage
@tlaurion thanks, I've fixed this in the article
TXT is the base for D-RTM and is possible on neutered ME (ivy/sandy) which is possible to integrate with trenchboot and in PoC stage for QubesOS next gen AEM: https://forum.qubes-os.org/t/trenchboot-anti-evil-maid-for-qubes-os/16559/9 (read comments there).
Sorry, I don't understand exactly what the mistake in the article is regarding this (and what you want corrected). I did add a link to TrenchBoot in the "Further Reading" section. This is the first I'm hearing about it, and I'm not quite sure what it solves that Heads does not (would be nice if they added this to their FAQ).
@maltfield well, it trickles down to asking the ACM to redo fresh measurements on-demand, since ACM is almighty on resume path.
Merge this with https://github.com/linuxboot/heads-wiki/issues/62 when updating documentation
That question was answered on slack/matrix here: https://matrix.to/#/!pAlHOfxQNPXOgFGTmo:matrix.org/$SDLnmO-F3ALUZKvlnW0TR8SY8nZlbFaR_8C7Hgygoxw?via=matrix.org&via=nitro.chat&via=talk.puri.sm :