[CentOS] TPM and secure boot

Mon May 20 13:17:09 UTC 2013
Denniston, Todd A CIV NAVSURFWARCENDIV Crane <todd.denniston at navy.mil>

> -----Original Message-----
> From: John R Pierce [mailto:pierce at hogranch.com]
> Sent: Sunday, May 19, 2013 17:57
> To: CentOS mailing list
> Subject: Re: [CentOS] TPM and secure boot
> On 5/19/2013 2:41 PM, Reindl Harald wrote:
> > your question was*clearly*  secure boot
> > and before UEFI secure boot*nobody*  cared about TPM on OS systems
> so basically, you're saying you can't use a TPM to secure a linux
> system?   hey, saves me a lot of work.     I'll tell my boss it can't
> be
> done.

As seen on LWN http://lwn.net/Articles/549597/ 
Matthew Garrett has been messing with TPM again

You can secure a Linux system Quite well using TPM, but it takes work
and you need to know the capabilities of your TPM chip... Matthew
Garrett indicated that they are not all loaded the same.
For the purposes of doing ssl, I am wondering if you need the
Endorsement Key (EK), which Matt indicated some chips don't have. I know
you *can* get a system all the way through booting from tpm using
trusted grub and tpm-luks.
Matt indicated that "The Linux kernel has support for measuring each
binary run or each module loaded and extending PCRs accordingly", so you
can go deeper.

Even when this disclaimer is not here:
I am not a contracting officer. I do not have authority to make or
modify the terms of any contract.