Secure Boot
Jan Dušátko
jan at dusatko.org
Sun Jan 15 07:30:54 UTC 2017
Dne 15.1.2017 v 3:38 Simon J. Gerraty napsal(a):
> Johannes Lundberg <johalun0 at gmail.com> wrote:
>> https://wiki.freebsd.org/SecureBoot
>>
> Interested in this too - though for proprietary systems where we have
> control over BIOS. The design should hopefully accommodate both.
>
> In particular any plan for how the loader would verify kernel and any
> pre-loaded modules, and kernel verify init.
> Hopefully allowing for regular update of sining keys.
>
To work correctly, there are requirements to use TPM 1.2, hard disk
drive support Opal 2.1 standard and the Intel TXT. Shim is only part of
secure boot, because can be easily defeated without the rest.
https://www.kernel.org/doc/Documentation/intel_txt.txt
https://software.intel.com/en-us/blogs/2012/09/25/how-to-enable-an-intel-trusted-execution-technology-capable-server
http://www.intel.com/content/dam/www/public/us/en/documents/guides/intel-txt-software-development-guide.pdf
http://www.intel.com/content/dam/www/public/us/en/documents/white-papers/trusted-execution-technology-security-paper.pdf
http://www.intel.com/technology/security/downloads/TrustedExec_Overview.pdf
http://www.intel.com/technology/security/downloads/arch-overview.pdf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-current/attachments/20170115/eddedeee/attachment.sig>
More information about the freebsd-current
mailing list