Re: A _good_ and valid use for TPM

[Robert Millan]

On Fri, Feb 20, 2009 at 03:03:04AM +0200, Alex Besogonov wrote:
> On Fri, Feb 20, 2009 at 2:29 AM, Jan Alsenz <address@hidden> wrote:
> [skip]
> >        The TPM can proof to another party, that the PCRs have certain 
> > values (of
> > course the communication needs to be established by normal software running 
> > on
> > the machine)
> Yes, I'm trying to do remote attestation.

You're confusing things.  I think you simply want to ensure data integrity, and
the TPM doesn't even do that: it simply puts the problem in hands of a third
party.

"remote attestation" is only useful when you want to coerce others into
running your (generaly proprietary) software.  I hope this is not what you
want to do.

> >> First, I don't think it's possible to implement SHA-1 hashing in MBR -
> >> there's probably just not enough space left in 512-byte code segment
> >> for that.
> > I am very sure of that.
> Well, I spoke phcoder on Jabber - there might be a way to do this.
> He's going to investigate it.

This is unnecessary.  Once GRUB supports crypto, it can simply load
itself from an encrypted filesystem on disk.  An image can be of
arbitrary size.

-- 
Robert Millan

  The DRM opt-in fallacy: "Your data belongs to us. We will decide when (and
  how) you may access your data; but nobody's threatening your freedom: we
  still allow you to remove your data and not access it at all."