[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Support for TPM measurements on UEFI systems

From: Vladimir 'phcoder' Serbinenko
Subject: Re: Support for TPM measurements on UEFI systems
Date: Mon, 06 Feb 2017 19:58:37 +0000

On Mon, 6 Feb 2017, 17:44 Matthew Garrett <address@hidden> wrote:
On Sun, Feb 05, 2017 at 01:28:20PM +0000, Vladimir 'phcoder' Serbinenko wrote:
> See verify.h for the interface. Obviously if you need changes in the API,
> please say.

I think that's a starting point, but it doesn't seem sufficient for some
of the cases I care about. For instance, measuring boot state isn't just
about the files that are read - we also need to measure the commands
that grub runs and the command line passed to the kernel, for instance.
Those can be added as separate non-file verification hooks if they are needed.
Ideally we'd also have more context available in order to make a better
decision about which PCR to measure something into, but I can't think of
a good way to do that simply by hooking open. That also seems to make it
difficult to implement a handler that should only be verifying some
objects - for instance, a UEFI secure boot handler only wants to verify
the kernel (or something that's chainloaded) and ignore everything else.
This branch adds additional parameter to open that indicates what's the file will be used for (kernel, initrd, ...). In which cases doesn't it provide enough context?

Matthew Garrett | address@hidden

Grub-devel mailing list

reply via email to

[Prev in Thread] Current Thread [Next in Thread]