>First of all your system is still totally vulnerable to emanation and >power analysis or hw tampering. Yes, but that's way too hard.
>By reflashing bios one can bypass all >tpm protections (don't say it's difficult because it's closed source and >so on. Look at all closed source obfuscations/pseudo-protections that >get cracked every day) That's possible, but again I consider this not critical. BIOS itself is checksummed and checked by the root of trust. >Personally if tpm support is merged into mainline grub2 I'll stop using >it. Why? >However what you request doesn't need tpm. Authenticity of modules, >configuration files and so on can be verified by one of 4 methods: >1) internal signatures >2) file in signed gpg container >3) detached signatures >4) signed hash file Won't work. For example, attacker can run everything inside a hypervisor and then just dump memory and extract decryption keys. You have no reliable ways to detect hypervisor from inside the running OS. You can pile layers upon layers of integrity checks, but they are useless if hardware itself is not trusted. TPM allows me to establish this trust. Actually, I can probably even formally prove this assumption. >First advantage is that you can override it manually supplying grub password Administrator can manually override TPM by supplying the decryption key directly instead of fetching them from my key server. [skipped because this scheme just won't work] >I personally would be interested in implementing security features in >grub2 as long as tpm stays away Then that's a religion, not engineering. PS: please, can you CC me when you answer my posts? _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org http://lists.gnu.org/mailman/listinfo/grub-devel
