grub-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TPM chip and Grub bootloader


From: Patrick Georgi
Subject: Re: TPM chip and Grub bootloader
Date: Fri, 25 May 2007 11:06:49 +0200
User-agent: Thunderbird 2.0b2 (X11/20070411)

Robert Millan schrieb:
On Thu, May 24, 2007 at 01:41:31AM -0700, karmo wrote:
hi
i want to program Grub to use the TPM chip to load certified Operating
System (like windows or redhat, it doesn't matter....but perhaps i will use
a redhat versione).
can you give me documents about how to do this?

Is that related to Digital Restriction Management?  (just curious)
The TPM trust chain has multiple uses, somewhat related to each other:
1. bind executables to a system state (as defined by a hash over BIOS image, boot loader, kernel, a set of drivers, ...)
2. bind the keystore in the TPM chip to that system state

As so often, it can be used for, and against the user. Binding certain data to a machine (eg. certificates) and making it non-trivial to get at them. The bad side is that the system state lock means some kind of lock-in (read your encrypted data on two different systems on the same machine? well, they lead to different system states, so the keys you need aren't available).

it also didn't help in the early state of TPM, that some media industry chills "proposed" lots of "extensions" to the basic TPM model that would make a media player intrusion proof (right in front of the press that took their wet dreams at face value and part of the specs), and that some misleading and downright wrong papers by opponents (the infamous "tcpa faq") became popular.


Patrick Georgi





reply via email to

[Prev in Thread] Current Thread [Next in Thread]