Re: Some Ideas about booting security

[Marco Gerards]

paradox <address@hidden> writes:

Hi,

>    I am a EE Dr. in trust computing.Our researching
> group has modified the grub 0.95 stage 1.5 code to add
> functions of Authentication and kernel and initrd's
> integrity check (use md5 digest algorithm and an usb
> security key),buy it is only a toy.
>
>    I has some ideas on booting security, and want to
> try them in grub2. here is a simple introduce:
>   
>     first, about trust chains in trust machine. a
> trust computing machine should has a trust chains from
> power on to the system envirment.in the trust chains,
> MBR Data should be checked by trust machine, in the
> MBR, grub should make a bios call, let trust bios
> check the stage 2's data in the partition header. then
> grub stage2 should check the integrity of the modules,
> kernels, initrds, and config file. it is only for
> business systems, but sb need it badly.

Isn't this something Intel focusses on by using EFI?

>     second, about priviledge control of grub 2. we can
> assume there has serveal people using a machine with
> serveal system, i.e., developing system, testing
> system, working system, and a windows system.perhaps
> one will only be permitted to booting one or two
> systems,for example, only system administrator can use
> a cdrom to booting the system. we can add a login and
> passwd check interface in the beginning of the stage
> 2, give the different user the different booting
> selection.can we build a mod to do this?

There is not stage 2 anymore in GRUB 2.  Perhaps you can put this in
an initialization routine in some GRUB 2 module.  Or even better in
the script grub.cfg.  Please keep in mind that GRUB 2 is GPL'ed so
anything that links to it, including modules, should be GPL'ed as
well.  Another thing you should know is that the interfaces of GRUB 2
are not fixed.

>     third , about Copyrights. I don't think GPL is the
> best choice for opensources, but we still need it. in
> my opinion,the best public license should give a
> public standard, allowing everyone use it for everying
> except new non_public standard. So I want split  my 
> work to two part, one part is on GPL, make interfaces
> with the protection of GPL, the other part is
> independent and totally free. Is it a good idea?

What does the license have to do with copyright?  GRUB 2 will remain
copyrighted by the FSF.  And I am not sure what you mean with
opensources, what are you referring to?  GRUB is is not open source.

What do you mean with public standard?  GRUB 2 is software.

I am not sure what you are heading to with that last part.  The GPL is
completely free *and* it protects your freedoms.  What else can you
wish for?  As I explained above, all code linked to GRUB 2 should be
GPL'ed.  But because I am not a lawyer, you can better contact one to
be sure.

>    Last is a question: Is there anyone try to booting
> grub2 on mips ?

Not yet, but I assume it will be quite easy to port GRUB 2.  Which
MIPS based machine did you have in mind?

--
Marco