[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Support for TPM measurements on UEFI systems

From: Matthew Garrett
Subject: Re: Support for TPM measurements on UEFI systems
Date: Mon, 6 Feb 2017 22:04:59 +0000
User-agent: Mutt/1.5.21 (2010-09-15)

On Mon, Feb 06, 2017 at 09:53:57AM -0800, Jon McCune wrote:

> I'm not sure about measuring the commands that GRUB runs. GRUB's config
> file is a shell-like language, and measuring that file should give a pretty
> good indication of its behavior. In the grey area between "what is code?"
> and "what is data?", making the case that grub.cfg is code seems feasible,
> which greatly simplifies the work of whatever verifies attestations or
> binds/seals data. Although, implementations for these two don't really seem
> to be in conflict so maybe GRUB could be configured one way or the other.

I'm concerned that the language gives enough flexibility that we don't 
know that for sure - for instance, if a regularly used command is 
vulnerable to a buffer overflow, there's no way to determine whether 
that occurred. Measuring each command before it's executed gives us some 
further assurance in that respect. Calculating the expected values is 
still pretty easy, and if they're logged then you can have a regex-based 
engine for remote validation.

Matthew Garrett | address@hidden

reply via email to

[Prev in Thread] Current Thread [Next in Thread]