#749 FSW ,chipset based laptops(X200, T400) with grub2 attestation, using TBM.

Closed
opened 3 months ago by i3_relativism · 1 comments

Given recent work in coreboot and osresearch,

There is same overlap to libreboot based systems, still not needing to use any blobs.

atestation work, relative to GRUB2 https://github.com/Rohde-Schwarz/TrustedGRUB2

given this hardware only uses TPM 1.2 implementation and given one cannot use it without ME, according to: https://github.com/osresearch/heads/issues/925

this could be fixed by using dyne.org initiated work relating to TBM(not TPM, trusted boot module), talk on it:

https://media.ccc.de/v/SHA2017-280-tbm_trusted_boot_module

Please sugest any improvements on comments so I can add it here in the description.

Given recent work in coreboot and osresearch, There is same overlap to libreboot based systems, still not needing to use any blobs. atestation work, relative to GRUB2 https://github.com/Rohde-Schwarz/TrustedGRUB2 given this hardware only uses TPM 1.2 implementation and given one cannot use it without ME, according to: https://github.com/osresearch/heads/issues/925 this could be fixed by using dyne.org initiated work relating to TBM(not TPM, trusted boot module), talk on it: https://media.ccc.de/v/SHA2017-280-tbm_trusted_boot_module Please sugest any improvements on comments so I can add it here in the description.
  • TPM can be emulated by ME, but iTPM is not the only thing available (and either way proprietary, at least when it comes to standard TSSOP-28 package with LPC interface)
  • TPM and similar solutions can be easily tricked by loading malicious code into boot firmware, so they rely on first measurement being trusted (eg. done via logic directly or maskrom code). None of the libreboot supported devices support that feature.
  • Any external TPM (and similar) is susceptible to Man-in-the-Middle attacks
* TPM can be emulated by ME, but iTPM is not the only thing available (and either way proprietary, at least when it comes to standard TSSOP-28 package with LPC interface) * TPM and similar solutions can be easily tricked by loading malicious code into boot firmware, so they rely on first measurement being trusted (eg. done via logic directly or maskrom code). None of the libreboot supported devices support that feature. * Any external TPM (and similar) is susceptible to Man-in-the-Middle attacks
Sign in to join this conversation.
Loading...
Cancel
Save
There is no content yet.