On 06/27/2011 11:27 AM, Miloslav Trmač wrote: > It doesn't, really. My understanding is that it takes a hash of the > contents of memory (and perhaps other state, I don't know) and submits > this "measurement" to the TPM. The sinit blob doesn't contain any > policy or configuration: it is only a mechanism for reducing the > complete "system state" into a hash value. One of my biggest concerns here is that we don't know what the proprietary sinit blob is doing, nor do I think that it is likely that Intel will show us. It seems to me that the situation is this: Intel has convinced some hardware vendors (IBM and Dell, possibly others) to embed the sinit blob in their BIOSes on very new systems. Intel wants Fedora to automatically check for: A) The system's capability to leverage found TPM hardware B) The presence of the sinit blob in the system BIOS If A and B are true, then Fedora adds an additional grub configuration for a "trusted-kernel" scenario. As uncomfortable as I am with us enabling process around undocumented BIOS magic, there is some precedent within the Linux kernel for that sort of thing. It also sounded like Intel wanted hooks in there so if A is true, but B is not, Fedora would prompt the user to download the sinit blob (arguably, B will be false on the majority of Fedora systems for at least the next few years). I am extremely opposed to this, for presumably obvious reasons. ~tom == Fedora Project -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
