[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Support for TPM measurements on UEFI systems

From: Matthew Garrett
Subject: Re: Support for TPM measurements on UEFI systems
Date: Mon, 6 Feb 2017 16:43:38 +0000
User-agent: Mutt/1.5.21 (2010-09-15)

On Sun, Feb 05, 2017 at 01:28:20PM +0000, Vladimir 'phcoder' Serbinenko wrote:
> See verify.h for the interface. Obviously if you need changes in the API,
> please say.

I think that's a starting point, but it doesn't seem sufficient for some 
of the cases I care about. For instance, measuring boot state isn't just 
about the files that are read - we also need to measure the commands 
that grub runs and the command line passed to the kernel, for instance. 
Ideally we'd also have more context available in order to make a better 
decision about which PCR to measure something into, but I can't think of 
a good way to do that simply by hooking open. That also seems to make it 
difficult to implement a handler that should only be verifying some 
objects - for instance, a UEFI secure boot handler only wants to verify 
the kernel (or something that's chainloaded) and ignore everything else.

Matthew Garrett | address@hidden

reply via email to

[Prev in Thread] Current Thread [Next in Thread]