tboot

Tboot

This module is a modification of the version of tboot-20101005 found at http://sf.net/projects/tboot. It has been modified to support the 2.6.18 kernel, although some features such as suspend are not available.

This module is used to ensure that the kernel and initial ram disk (initrd) have not been tampered with since the policies that it uses were created. In conjunction with the SINIT modules provided by Intel, which are ued to verify that tboot itself has not been tampered, with, it will provide a chain of trust from the TPM hardware (where the polices are safe stored) through tboot, and the kernel (utilizing the IMA modifications to the 2.6.18 kernel) to the individual programs via the IMA measurements and golden values stored on the attestation server.

This module also has a modification to clear the e820 table on shutdown. This is required by some accrediting agencies before system accreditation can be granted.

Although tboot is a separate module, it will not function as intended with the LCP_Update [Client Registration] program to build the polices that it enforces. It also requires the appropriate SINIT modules from Intel. They can be downloaded from http://software.intel.com/en-us/articles/intel-trusted-execution-technology.

A more detailed discussion of tboot and its usage is provided inside the source rpm at the top level README file.

Although the SAMSON modules are in general released under an MIT license, tboot retains its original BSD license from Intel.