[PATCH 1/3] [V5] Add support for GPG signature enforcement on booted

Timothy Pearson tpearson at raptorengineering.com
Thu Aug 25 01:54:24 AEST 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/23/2016 07:40 PM, Samuel Mendoza-Jonas wrote:
> Hi! Excuse me not following up, got caught up putting out some other
> fires :)

No problem, it happens.

> I'm pretty happy to merge this I think. I've tested with buildroot with
> only a moderate amount of hair-pulling, and everything acts as expected.
> One, maybe two nitpicks, but I can handle those myself when I merge,
> being:
> - I'll change --with-signed-boot to default=no

OK.

> - I might add a comment to a file or commit message to stress that it's
> probably best to hold off using the word 'secure' too much unless this
> is used in conjunction with a proper trusted-boot implementation so that
> you can trust the integrity of the initramfs. If you like I can send
> that to you to bikeshed as well :)

Yeah, this is probably a true statement.  Essentially the entire
contents of NOR flash, including petitboot, become the CRTM.  While this
is definitely more secure than the existing boot methods (and in line
with some commercial x86 offerings) I wouldn't call it complete until
the TPM is being used and the CRTM is as small as possible, preferably
in the first 4K of Flash (write protected) or, even better, in the
on-die nonvolatile memory for OpenPOWER systems.  Not sure if that's
even possible at this time, but it would definitely be interesting.

Thanks!

- -- 
Timothy Pearson
Raptor Engineering
+1 (415) 727-8645 (direct line)
+1 (512) 690-0200 (switchboard)
https://www.raptorengineering.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJXvcMwAAoJEK+E3vEXDOFbnKAH/0b8Dw/nl27Y1eYZLBrGSlVw
txIxOILDrFXyMqyr+xOm/mWH2VpGqeg6uk0sUMFZaKMW7iKTzh9fT1J4Sbq7gZiC
ZuinV5wWgoWkhcUx9Jgp7VonJx4c9bBK3tmRKs97KyO2nXH7Wx06v8TGZ+Cv4wfq
TE6M3/xBm/64nFsSWloloM5iJwFtLFnJQs3/FtfAi6vHfY7tlLX4C0rJBUY1MvFf
cIJyOl0a6E1Po1rIFeWBRU6Spm3LvFy9RkbATaxRRtXGVSM2HDjUW5rUmnx7e7N+
sdblUU6K4QVQXq/HZkInOLAULbxhUsyuXWcJQV5GJUrQyYY7oUeB3gFhdGve5yw=
=Z7Xz
-----END PGP SIGNATURE-----


More information about the Petitboot mailing list