The TrouSerS project puts out a set of grub patches (grub-ima) designed to help complete the TPM chain of trust. I've been running this out-of-tree under the hardened profile on a Thinkpad X31 for some time with no ill effects and have just gotten around to actually writing an ebuild to manage it. I am open to whatever implementation is deemed appropriate, but have implemented this as a 'tpm' USE flag on the grub-0.97-r3 ebuild, manifested as grub-0.97-r4. I will attach the patch for the -r3 ebuild shortly, as well as a small housekeeping patch for a conflict between the grub-ima patches and the current Gentoo patchset (input on that process solicited as well). I think all that I haven't done is added a use.desc entry.
Created attachment 140411 [details, diff] patch to grub-0.97-r3.ebuild for -r4
Created attachment 140414 [details, diff] goes in ${FILESDIR} Fixes the conflict between existing Gentoo patches and the grub-ima one in configure.ac
Ugh... TPM/Trusted Computing is extreme evil. :X
It is if you use it the way our favorite commercial OS vendor has sold it, and as a result the OSS community has responded with FUD and lots of misunderstanding. Think of it this way - it's a reasonably secure hardware-based CA embedded in your machine that can help prevent you from having to use a USB stick, boot CD, etc. to protect your keys. We can nearly reach physical compromise-proof with this. This is the start of my campaign to use TPM to help securely manage encrypted-root systems - I am one [very short] program away from using the TPM to seal a portion (or all) of an encryption key that will then be passed on to loop-aes, dm-crypt, etc. and seamlessly decrypt /. No remote attestation, no preventing you from running certain apps, but you (the owner) can prevent the filesystem from being decrypted should any of the boot chain (kernel/initrd/grub/etc.) be modified.
Dropping this to P5 (seemingly due to TPM FUD) really bothers me. I won't argue the priority, but I hope to help educate on the reality of TPM rather than let everyone swallow Stallman's arguably misinformed rant against them. If you're against appropriate usage of TPM, you're against PKCS#11 and smartcards in general. If you would, a couple of articles on the subject: http://www.research.ibm.com/gsal/tcpa/tcpa_rebuttal.pdf http://blog.bosabosa.org/2008/01/rethinking-trusted-computing.html
just ignore him have you talked with upstream grub about getting tpm integrated in grub2 ?
No, but I will now, starting with the TrouSerS group to see if they'll help push the patch upstream. Kent Yoder just left (internal to IBM), but it shouldn't be a big issue.
Looks like the battle will be uphill; I'd forgotten for a few hours that Grub is hosted/run by the GNU project. With alarmist fantasies like http://www.gnu.org/philosophy/right-to-read.html, I think it goes outside of the scope of this bug. I will do what I can and work with TrouSerS for a grub2 patch.
Created attachment 148479 [details] grub with ima (tpm) support ebuild including the patch above
Created attachment 148481 [details, diff] patch to the (ima) patch looks pretty the same as the original one, which did not apply (this one uses tabs instead of spaces)
Created attachment 148693 [details] grub with ima (tpm) support autoconf needs to be run after applying the ima patch (otherwise configure doesnt know about it).
Spaces/tabs is what I get for pasting from a VT with GPM. I don't see how you applied my 2nd patch, as it would have had that 'eautoreconf' from the start, or what value an ebuild adds over a patch that does the same thing; whatever strikes your fancy. For my purposes, a patch is easier so others can see precisely what's being done w/o having to download and diff themselves. Don't know what all devs do, but it's highly unlikely they'll incorporate an attached ebuild wholesale anyway.
patch for devs and ebuild for users looks ok to me (:
Created attachment 148783 [details] grub with tpm (ima) and tpm-debug (imatest) support makes the quite annoying debug messages optional
Could you please update it to apply on top of 0.97-r8. I strongly recommend just respinning the upstream IMA patch so that it applies cleanly, and is ALWAYS applied, but is only enabled depending on USE=tpm. If you look in the Gentoo anonymous CVS, gentoo/src/patchsets/grub/0.97, you'll find our raw patchset files where your patches to grub itself would be included.
Created attachment 170901 [details, diff] grub-0.97 (gentooified) tpm patch
Created attachment 170903 [details, diff] with tpm use flag (and tpm debug messages disabled)
Created attachment 170905 [details] with tpm use flag (and tpm debug messages disabled)
Added Robert's 850 to my local grub-0.97-patches-1.8.tar.bz2 and tested his version of r8 against it (I can live w/o debug by default) with USE='ncurses netboot tpm'. Booted & working fine (Vaio, Infineon 1.2.1.0).
(In reply to comment #19) > Added Robert's 850 to my local grub-0.97-patches-1.8.tar.bz2 and tested his > version of r8 against it (I can live w/o debug by default) with USE='ncurses > netboot tpm'. Booted & working fine (Vaio, Infineon 1.2.1.0). thanks for testing! (:
This works fine with Robert's 850_ patch against the -r9 ebuild in the main tree. I renamed it to '855' in my local repo to avoid potential conflict with the new ext4 patch, but it's still good.
FWIW, still running well in production, zero issues. Any chance of this going mainstream so I don't have to maintain a local ebuild?
Updating the queue marker. I'm waiting for test results on patches on bug 139277 and bug 200505, then -r10 will be ready to roll.
pushing this to -r11 now, I got some conflicts with other stuff in -r10, please see about a respin?
I dont use Gentoo anymore, so someone else has to go for it. RB?
Headed there, just had a weekend out. Probably by EOW.
Any news RB?
Still here, still marked TODO on my end, just need to get it done. Will try to dig into it with the remainder of this weekend.
What is the status? @RB are you still working on this?
Sadly, no - this fell off of my plate after changing roles a couple of times. I'm still working with Gentoo, but it is no longer my primary boot.
grub:0 is gone