Matthew Garrett wrote:
> Measured boot is a process whereby each component in the boot chain
> "measures" the next component. In the TPM 1.x world (which is where most
> of us still are), that measurement is in the form of a SHA1 hash of the
> next component. So, on a BIOS system, the firmware measures itself, the
> firmware measures its configuration, the firmware measures any option
> ROMs on plugin cards, the firmware measures the MBR of the disk, the MBR
> measures the grub stage 1, the grub stage 1 measures the grub stage 2,
> the grub stage 2 measures the kernel and so on.
Yet another Treacherous Computing "feature" that nobody needs!
> Remote attestation is a mechanism by which a remote machine can request
> (but not compel) another machine to provide evidence of the PCR state.
> The TPM provides a signed bundle of information including the PCR values
> and the event log, and the remote machine verifies that the signature
> corresponds to the key it expected to see.
How does the remote machine know that what is answering is a physical TPM
and not a software emulation? Does it need to have the individual TPM's
public key in advance?
Kevin Kofler
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
