[CentOS] TPM and secure boot

Sun May 19 20:59:46 UTC 2013
John R Pierce <pierce at hogranch.com>

has anyone implemented any sort of 'secure boot' using TPM 1.2 modules 
on the server boards using CentOS 6.x ?   I'm not finding much concrete 
stuff on how to setup and manage a system like this, but I've been asked 
to research it for a security application internally at my job.

our primary application for the TPM is for client authentication 
certificates in an SSL application (the machine with the TPM is an 
unmanned embedded client, that accesses webservices on a remote server 
which needs to authenticate this client).    We've already done similar 
client authentication using USB Tokens, but would like to use TPM for 
this in the future.    I think the client authentication part is pretty 
straight forward, using Trousers and so forth and PKCS#11 to access the 
keys.

Once we get the client authentication side working, we'd like to also 
secure the OS itself to prevent tampering, presumably using trusted grub 
and such?

is this typically used in conjunction with disk encryption such that the 
TPM module supplies the decryption keys?   does linux have any concept 
of signed executables, kernel, and so forth?     would replacing the RPM 
keys with keys signed by our own certificate authority such that the TPM 
would be involved in RPM authentication be practical? (yes, I know, this 
would mandate using a private yum repository, and building/signing all 
our own system components).

I realize this will greatly complicate system management, security is 
always a tightrope act.



-- 
john r pierce                                      37N 122W
somewhere on the middle of the left coast