[PATCH 1/2] Add support for GPG signature enforcement on booted

Timothy Pearson tpearson at raptorengineering.com
Wed Aug 3 13:20:55 AEST 2016

On 08/02/2016 09:32 AM, Nayna wrote:
> Hi,
> Yes, Thanks Sam for bringing it up.
> And it is good to know  people's interest in secure boot.
> My work currently covers more of particular aspect of trusted boot at
> petitboot level.

I need to be extremely clear that we are *only* interested in secure /
trusted boot *iff* we retain full, absolute control of the root of trust
on each machine.  We have no way to use e.g. Intel's "boot guard" system
where Intel retains control of the root of trust at all times, and in
fact we have specifically avoided all such hardware due to the severe
security concerns associated with these centralised security models.

>From what I understand of OpenPOWER, implementing a fully secure boot
process should be achievable by allowing the owner key to be stored on
the CPU using special hardware (e.g. changing a switch on the mainboard
while the machine is powered off to enable key storage mode).
Furthermore, key update must be achievable by a method that does NOT
require vendor intervention, signing, or provide any ability for the
vendor to re-issue a different root of trust for that particular machine
through a back-door mechanism -- this immediately rules out schemes
where a customer intermediate key is signed by the vendor under license.

Let's make sure we keep OpenPOWER open, while still allowing the machine
owner to achieve a signed, secure, exclusive boot of software
pre-authorised by that owner.


Timothy Pearson
Raptor Engineering
+1 (415) 727-8645 (direct line)
+1 (512) 690-0200 (switchboard)

More information about the Petitboot mailing list