Description
The microconference will focus on various topics related to the open source security, including bootloaders, firmware, BMCs and TPMs. This will help to get together all interested people in one room and discuss current developments and issues hurting the community.
Potential speakers and key participants: everybody involved or interested in GRUB, iPXE, coreboot, LinuxBoot, SeaBIOS, UEFI, OVMF, TianoCore, IPMI, OpenBMC, TPM, and related projects and technologies.
It has been an exciting year of progress around the Linux integrity - patches for TPM support have finally been integrated into GRUB, support for a wider range of TPM2 features has been landing in-kernel, IMA and EVM have continued to grow new features and there's a fully-featured free software remote attestation implementation.
Let's get together and spend a few hours discussing what the remaining painpoints are and what should come next.
-
Joel Stanley (IBM)11/09/2019, 15:00
The OpenBMC project has brought modern Linux to the firmware in your new server. A missing piece of this is ensuring the firmware is the image you expect it to be running.
The next generation of BMC hardware will allow a hardware root of trust to secure the boot chain. This talk will present the a proposed design for trusted boot in OpenBMC.
Go to contribution page -
Leif Lindholm (Linaro, TianoCore, GRUB)11/09/2019, 15:20
The UEFI forum is rolling out a new "code first" process, to be available for both UEFI and ACPI specifications, in order to speed up time between initial definition and upstream support.
The UEFI self-certification testsuite (SCT) has been open sourced.
UEFI interface implementation in U-Boot now sufficient for GRUB use (and more) across multiple distributions..
Go to contribution page -
Jarkko Sakkinen11/09/2019, 15:40
The presentation gives an overview of what has been implemented in the SGX patch set and what there is still left to do. The presentation goes through the known blockers for upstreaming. In particular, access control related issues will be discussed.
Go to contribution page -
Daniel Kiper11/09/2019, 16:05
TrenchBoot is a cross-community OSS integration project for hardware-rooted, late launch integrity of open and proprietary systems. It provides a general purpose, open-source DRTM kernel for measured system launch and attestation of device integrity to trust-centric access infrastructure. TrenchBoot closes the the measurement gap and reduces the need to trust system firmware. This talk will...
Go to contribution page -
James Bottomley (IBM)11/09/2019, 17:00
TPM2 introduced a plain text authorization scheme with the idea that the system using the TPM should now whether the transport was secure. The presence of interposers on the bus, either as physical devices
https://www.nccgroup.trust/us/our-research/tpm-genie/
Or as compromised pre-boot firmware make this threat a reality. A NULL seed based scheme has been proposed for...
Go to contribution page -
Philip Tricca (Intel)11/09/2019, 17:20
Firmware on commodity PCs have used the TPM to store integrity measurements from security relevant components as part of the boot process for some time. Grub2 has recently merged patches that extend this integrity measurement chain through to the launching of the OS kernel. Collecting and storing these measurements in the TPM is a necessary precondition for implementing authorization policy...
Go to contribution page -
Piotr Król (3mdeb Embedded Systems Consulting), Mr Żygowski Michał (3mdeb Embedded Systems Consulting)11/09/2019, 17:40
The main issue in using TPM2.0 in such measured boot solution is that at the
Go to contribution page
moment of writing this abstract neither Trusted Grub, nor Linux kernel has
TPM2.0 implementation. There are of course implementations based on UEFI
systems, where bootloaders can utilize TCG EFI protocol to handle TPM. However
other non-UEFI based solutions suffer from lack of TPM2.0 drivers in the
bootloaders.... -
Mr Król Piotr (3mdeb Embedded Systems Consulting), Mr Żygowski Michał (3mdeb Embedded Systems Consulting)11/09/2019, 18:05
At the time of writing this paper the Linux kernel supported TPM 1.2
functionalities in sysfs. To these functionalities we include:```
Go to contribution page
$ ls /sys/devices/pnp0/00:04/tpm/tpm0 active caps device enabled pcrs ppi subsystem timeouts cancel dev durations owned power pubek temp_deactivated uevent $ ls /sys/devices/pnp0/00:04/tpm/tpm0/ppi
request response ...
