mjg59
commented
8 years ago That sounds like a good idea, and I'm happy to merge it if you send me a patch!
Closed N0T3P4D closed 8 years ago
mjg59
commented
8 years ago That sounds like a good idea, and I'm happy to merge it if you send me a patch!
haraldh
commented
8 years ago your grub patches do: include/grub/tpm.h:#define GRUB_KERNEL_PCR 10 include/grub/tpm.h:#define GRUB_INITRD_PCR 11 include/grub/tpm.h:#define GRUB_CMDLINE_PCR 12 include/grub/tpm.h:#define GRUB_COMMAND_PCR 13
... why not add these to your sealing?
mjg59
commented
8 years ago @haraldh Because these aren't fully standardised yet. 10 is certainly going to have to change, since it's used as the default IMA PCR.
mjg59
commented
8 years ago Merged https://github.com/mjg59/tpmtotp/pull/6 which implements this
Hi,
in order to work around some of the limitations (namely lack of kernel and initrd measurement) mentioned in the readme, Intel TXT could be used. With tboot [1], there exists a measured launch environment for Linux. This would require the secret to be sealed against the PCRs 17, 18 and 19.
An option would be to add a command line argument to sealtotp to specify a list of comma-separated list of PCRs used for sealing the secret. Additionally, specifying the PCR values used for sealing would be desirable to securely support kernel / initrd updates without having to perform an unverified boot.
If you find this agreeable or have suggestions, I'll (try to) implement it.
N0T3P4D
[1] http://sourceforge.net/projects/tboot/