Menu
▾
▴
Re: [Linux-ima-user] Chain of trust in IMA and IMA for Ubuntu!
|
From: Mimi Z. <zo...@li...> - 2014-01-14 20:21:33
|
On Tue, 2014-01-14 at 19:30 +0100, Vladimir 'φ-coder/phcoder' Serbinenko wrote: > On 14.01.2014 16:59, Peter Jones wrote: > > PCR, as well as having grub2 do so for its config, the kernel, and any > > initramfses to be loaded. Doing so on a UEFI machine isn't a particularly > > difficult change to grub2 - but you may face the same political > > problems. It's probably worth asking Vladimir Serbinenko, who I've > > Cced, as he's the upstream maintainer of grub2. > GRUB2 has RSA/DSA gnupg signature checking. Currently in mainstream it > supports only detached GPG signatures but I have a branch where I work > on PE signatures (phcoder/file_types). For me we could use either. In > the same branch I also work on implementing partial checks (check only > files needed to satisfy EFI stuff). This approach gives similar (if not > better) security gurantees (unless rollback is a problem, usually it's > not and preventing it prevents normal activity as backup restore as > well) but has no political problems. The only part which may be > politically problematic is enforcing this check depending on EFI > variables but this would be a tiny patch remaining. Another advantage of > this approach is easy integration with coreboot (just use GRUB2 as > payload) I didn't finish this approach yet. Missing parts are file types > (I still wait for answer from Peter Jones as to which files needs to be > checked) and PE signatures (WIP). Thanks for responding! In order to verify the signatures, you're already calculating file hashes. Would it be possible to also extend the TPM with these hashes and add them to the measurement list? thanks, Mimi |
