[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Support for TPM measurements on UEFI systems

From: Jon McCune
Subject: Re: Support for TPM measurements on UEFI systems
Date: Mon, 6 Feb 2017 19:56:34 -0800

On Mon, Feb 6, 2017 at 2:04 PM, Matthew Garrett <address@hidden> wrote:
On Mon, Feb 06, 2017 at 09:53:57AM -0800, Jon McCune wrote:

> I'm not sure about measuring the commands that GRUB runs. GRUB's config
> file is a shell-like language, and measuring that file should give a pretty
> good indication of its behavior. In the grey area between "what is code?"
> and "what is data?", making the case that grub.cfg is code seems feasible,
> which greatly simplifies the work of whatever verifies attestations or
> binds/seals data. Although, implementations for these two don't really seem
> to be in conflict so maybe GRUB could be configured one way or the other.

I'm concerned that the language gives enough flexibility that we don't
know that for sure - for instance, if a regularly used command is
vulnerable to a buffer overflow, there's no way to determine whether
that occurred. Measuring each command before it's executed gives us some
further assurance in that respect.

This is a good point. I'd still like to express a preference that it be optional.
Calculating the expected values is
still pretty easy, and if they're logged then you can have a regex-based
engine for remote validation.


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]