FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 06-22-2011, 07:01 PM
"Jon Ciesla"
 
Default Trusted Boot in Fedora

> http://fedoraproject.org/wiki/Features/Trusted_Boot is a proposed
> feature for F16. We've traditionally had a hard objection to the
> functionality because it required either the distribution or downloading
> of binary code that ran on the host CPU, but it seems that there'll
> shortly be systems that incorporate the appropriate sinit blob in their
> BIOS, which is a boundary we've traditionally been fine with.
>
> However, this is the kind of feature that has a pretty significant
> impact on the distribution as a whole. Fesco decided that we should
> probably have a broader discussion about the topic. The most obvious
> issues are finding a sensible way to incorporate this into Anaconda, but
> it's also then necessary to make sure that bootloader configuration is
> updated appropriately.
>
> Outside that, is there any other impact? Does tboot perform any
> verification of the kernels, and if so how is that configured? Is the
> expectation that an install configured with TXT will only boot trusted
> kernels, and if so what mechanism is used to verify the kernel? Is there
> any further integration work that has to be performed for this to be
> useful?

If so, is there a mechanism to disable that functionality, or mark a
kernel as trusted, so that I could, for example, run a kernel I built
myself or one from another RPM?

-J

> --
> Matthew Garrett | mjg59@srcf.ucam.org
> --
> devel mailing list
> devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
>


--
in your fear, seek only peace
in your fear, seek only love

-d. bowie

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 06-22-2011, 07:02 PM
Matthew Garrett
 
Default Trusted Boot in Fedora

http://fedoraproject.org/wiki/Features/Trusted_Boot is a proposed
feature for F16. We've traditionally had a hard objection to the
functionality because it required either the distribution or downloading
of binary code that ran on the host CPU, but it seems that there'll
shortly be systems that incorporate the appropriate sinit blob in their
BIOS, which is a boundary we've traditionally been fine with.

However, this is the kind of feature that has a pretty significant
impact on the distribution as a whole. Fesco decided that we should
probably have a broader discussion about the topic. The most obvious
issues are finding a sensible way to incorporate this into Anaconda, but
it's also then necessary to make sure that bootloader configuration is
updated appropriately.

Outside that, is there any other impact? Does tboot perform any
verification of the kernels, and if so how is that configured? Is the
expectation that an install configured with TXT will only boot trusted
kernels, and if so what mechanism is used to verify the kernel? Is there
any further integration work that has to be performed for this to be
useful?

--
Matthew Garrett | mjg59@srcf.ucam.org
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 06-22-2011, 07:20 PM
seth vidal
 
Default Trusted Boot in Fedora

On Wed, 2011-06-22 at 20:02 +0100, Matthew Garrett wrote:
> http://fedoraproject.org/wiki/Features/Trusted_Boot is a proposed
> feature for F16. We've traditionally had a hard objection to the
> functionality because it required either the distribution or downloading
> of binary code that ran on the host CPU, but it seems that there'll
> shortly be systems that incorporate the appropriate sinit blob in their
> BIOS, which is a boundary we've traditionally been fine with.
>
> However, this is the kind of feature that has a pretty significant
> impact on the distribution as a whole. Fesco decided that we should
> probably have a broader discussion about the topic. The most obvious
> issues are finding a sensible way to incorporate this into Anaconda, but
> it's also then necessary to make sure that bootloader configuration is
> updated appropriately.
>
> Outside that, is there any other impact? Does tboot perform any
> verification of the kernels, and if so how is that configured? Is the
> expectation that an install configured with TXT will only boot trusted
> kernels, and if so what mechanism is used to verify the kernel? Is there
> any further integration work that has to be performed for this to be
> useful?
>

Are we going to continue the double grub entries? while I realize that
tboot SHOULD allow non TXT hw to boot properly I also realize that any
differences will be pointed to as a point of contention when debugging
semirelated problems. so it seems like the double entries are wise.

Additionally, is the grub modifyication implemented in grubby and does
this behave properly on a yum update of the kernel?

-sv


--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 06-22-2011, 07:24 PM
Simo Sorce
 
Default Trusted Boot in Fedora

On Wed, 2011-06-22 at 14:01 -0500, Jon Ciesla wrote:
> > http://fedoraproject.org/wiki/Features/Trusted_Boot is a proposed
> > feature for F16. We've traditionally had a hard objection to the
> > functionality because it required either the distribution or downloading
> > of binary code that ran on the host CPU, but it seems that there'll
> > shortly be systems that incorporate the appropriate sinit blob in their
> > BIOS, which is a boundary we've traditionally been fine with.
> >
> > However, this is the kind of feature that has a pretty significant
> > impact on the distribution as a whole. Fesco decided that we should
> > probably have a broader discussion about the topic. The most obvious
> > issues are finding a sensible way to incorporate this into Anaconda, but
> > it's also then necessary to make sure that bootloader configuration is
> > updated appropriately.
> >
> > Outside that, is there any other impact? Does tboot perform any
> > verification of the kernels, and if so how is that configured? Is the
> > expectation that an install configured with TXT will only boot trusted
> > kernels, and if so what mechanism is used to verify the kernel? Is there
> > any further integration work that has to be performed for this to be
> > useful?
>
> If so, is there a mechanism to disable that functionality, or mark a
> kernel as trusted, so that I could, for example, run a kernel I built
> myself or one from another RPM?

I would say that if this feature prevents users from creating their own
trusted kernels we shouldn't probably care supporting it.

Simo.

--
Simo Sorce * Red Hat, Inc * New York

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 

Thread Tools




All times are GMT. The time now is 03:45 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org