Documenting the proposal for TPM 2.0 security in the face of bus interposer attacks
Jarkko Sakkinen
jarkko.sakkinen at linux.intel.com
Tue Nov 20 23:52:45 UTC 2018
On Tue, Nov 20, 2018 at 02:33:45PM -0700, Jason Gunthorpe wrote:
> So it really is essential that all steps, including the BIOS use
> secure PCR updates, or you may as well not bother in Linux, at least
> for security reasons.
>
> And I think you were on the right track, the TPM should have a
> per-boot authorization that flows through all layers of the TPM stack
> and guarantees the TPM hasn't been rebooted and with crypto prevents
> lost PCR updates.
>
> But that does require standardization, as we do need the BIOS to
> participate.
These talks were already started before LSS 2018 on chat session.
The idea would be to promote the same approach for BIOS.
I see what James is doing a piece, not a full solution but you
have to start from somewhere.
As an opt-in feature it should be ok.
/Jarkko
More information about the Linux-security-module-archive
mailing list