[LinuxBIOS] [RFC] Call for Action: LinuxBIOS foundations
echelon at free.fr
echelon at free.fr
Wed Aug 29 13:14:55 CEST 2007
Quoting Stefan Reinauer <stepan at coresystems.de>:
> The opposite is the case. LinuxBIOS is the _only_ chance out there that
> allows controlling the restrictions. It does not restrict the vendor in
> controlling the "bootblock" -- Since there is no such thing as the
> bootblock in LinuxBIOSv2, I wonder what the technical meaning of that
> part of the specification is supposed to be.
The boot block is the "core root of trust for measurements", i.e. it is
supposed to do integrity measurement on the next module in the bootchain (that
would be LinuxBIOS in this scheme..). This "measurement" (an integrity hash like
SHA1) would be stored in one of the protected registers of the TPM. Now a
question arises : would the "bootblock" transfer the control to LinuxBIOS if the
hash does not match a value "hardwired" by the manufacturer? (the decision will
be taken by the CRTM (the bootblock) not by the TPM which is (for the moment)
passive)
Indeed, I agree, this scheme does not preclude the use of LinuxBIOS .. as a
step 2 into the boot chain, but what will happen when one will need to
upgrade/update the installed version of LinuxBIOS? In other words, no one other
that the manufacturer will be able to install LinuxBIOS and IMHO we will
unfortunately lose a great advantage of LinuxBIOS which is his
flexibility/customizability..
Florentin
More information about the coreboot
mailing list