Menu
▾
▴
Re: [Trustedgrub-users] Kernel upgrade question
|
From: Olga G. <ol...@gm...> - 2010-10-05 12:29:39
|
Hi Marcel, Ok, that makes a lot of more sense now! thank you so much for the explanation. If I figure out why my "manual" kernel install (as opposed to a package install) didn't work, I will post the results to this list. It might be useful for everyone to know. thanks, Olga On Tue, Oct 5, 2010 at 5:15 AM, Marcel Selhorst <m.s...@si...>wrote: > Hi Olga, > > > So I downloaded a .deb package for the 2.6.34.1-blackjack kernel and > > installed it using dpkg. That booted with no problems with TrustedGrub! > > Apparently, if you use the package manager, then the new kernel installs > > and boots fine. > > great! > > > I guess there was something wrong with my manual > > install. > > Hmm, maybe, hard for me to reproduce that from here ;) > > > Actually, that brings up another question. I guess, I am not quite sure > > what is going on behind the scenes in TrustedGrub. Why is it that if you > > upgrade the kernel, the new kernel image and initrd hashes are instantly > > verified? > > No, they are not verified, they are simply "measured", which means, that > the content of your PCR-12 and PCR-14 reflect the booted kernel / initrd. > If you exchange the kernel, these PCRs will be different. > If you for example seal something (like a HDD encryption key) to these > PCRs, than you won't be able to unseal the data due to the excanged kernel. > > The only way you can use TrustedGRUB to verify your kernel is if you use > the checkfile()-functionality. There you have to add the file(s) you want > to verify along with a reference value into a file and add the checkfile > command to the menu.lst. > This feature is nice, if you want to verify arbitrary files, for example > your shadow / passwd-files / modules / whatever. For example: > > # cat /boot/checkfile-2.6.35.1 > a667bb647e6b5491e9a9797333dbc88ba9082aa9 (hd0,0)/etc/passwd > 05b105697bb997e4db516b92201d541f5710a72f (hd0,0)/etc/shadow > > # cat /boot/grub/menu.lst > title=Gentoo Linux 64-Bit 2.6.35.1 > checkfile=(hd0,0)/boot/checkfile-2.6.35.1 > kernel=(hd0,0)/boot/vmlinuz-2.6.35.1 > > TrustedGRUB will load these files from disk, measure them, extend them into > PCR-13 and will verify the calculated hash against the hash stored in the > checkfile. > > Best regards, > Marcel > -- > Sirrix AG security technologies -- http://www.sirrix.com > Dipl.-Ing. Marcel Selhorst eMail: m.s...@si... > Tel: +49 (234) 610071-126 Fax: +49 (234) 610071-526 > Tel: +49 (681) 95986-126 Fax: +49 (681) 95986-526 > Get my public key from keyserver, KeyId: 0x7C9821CC > Fingerprint 4138 E617 E62E 79D3 E663 BE5A 14E7 1CD8 7C98 21CC > > Vorstand: Ammar Alkassar (Vors.), Christian Stueble > Vorsitzender des Aufsichtsrates: Prof. Dr. Kai Rannenberg > Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbruecken > > This message may contain confidential and/or privileged information. > If you are not the addressee, you must not use, copy, disclose or > take any action based on this message or any information herein. > If you have received this message in error, please advise the sender > immediately by reply e-mail and delete this message. > |
