Features/Trusted Boot

From FedoraProject

< Features(Difference between revisions)
Jump to: navigation, search
(Comments and Discussion)
(Trusted Boot)
Line 1: Line 1:
= Trusted Boot =
+
= Install-time Configuration of Trusted Boot =
  
 
== Summary ==
 
== Summary ==
Line 10: Line 10:
 
== Current status ==
 
== Current status ==
 
* Targeted release: [[Releases/16 | Fedora 16 ]]  
 
* Targeted release: [[Releases/16 | Fedora 16 ]]  
* Last updated: 2011-05-30
+
* Last updated: 2011-06-15
 
* Percentage of completion: 0%
 
* Percentage of completion: 0%
  
 
== Detailed Description ==
 
== Detailed Description ==
This would include:
+
This would include two things to be done at install time:
 
# UI to choose TXT/tboot support
 
# UI to choose TXT/tboot support
 
# The underlying support to install the package and modify the bootloader cfg.
 
# The underlying support to install the package and modify the bootloader cfg.
 +
Below is a sample grub.conf file showing the change.
 +
 +
default=0
 +
timeout=5
 +
splashimage=(hd0,2)/boot/grub/splash.xpm.gz
 +
hiddenmenu
 +
 +
title Fedora (2.6.38-0.rc5.git1.1.fc15.x86_64)
 +
        root (hd0,0)
 +
        kernel /boot/vmlinuz-2.6.38-0.rc5.git1.1.fc15.x86_64 ro root=UUID=2c16235d-452c-4109-b93c-7b6e93795682 rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYTABLE=us rhgb quiet
 +
        initrd /boot/initramfs-2.6.38-0.rc5.git1.1.fc15.x86_64.img
 +
 +
title Fedora w/ tboot (2.6.38-0.rc5.git1.1.fc15.x86_64)
 +
        root (hd0,0)
 +
        kernel /boot/tboot.gz logging=vga,serial,memory
 +
        module /boot/vmlinuz-2.6.38-0.rc5.git1.1.fc15.x86_64 ro root=UUID=2c16235d-452c-4109-b93c-7b6e93795682 rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYTABLE=us rhgb quiet
 +
        module /boot/initramfs-2.6.38-0.rc5.git1.1.fc15.x86_64.img
 +
        module /boot/sinit.bin
  
 
== Benefit to Fedora ==
 
== Benefit to Fedora ==

Revision as of 02:22, 15 June 2011

Contents

Install-time Configuration of Trusted Boot

Summary

Add installer support for Trusted Boot (tboot).

Owner

Current status

  • Targeted release: Fedora 16
  • Last updated: 2011-06-15
  • Percentage of completion: 0%

Detailed Description

This would include two things to be done at install time:

  1. UI to choose TXT/tboot support
  2. The underlying support to install the package and modify the bootloader cfg.

Below is a sample grub.conf file showing the change.

default=0
timeout=5
splashimage=(hd0,2)/boot/grub/splash.xpm.gz
hiddenmenu

title Fedora (2.6.38-0.rc5.git1.1.fc15.x86_64)
       root (hd0,0)
       kernel /boot/vmlinuz-2.6.38-0.rc5.git1.1.fc15.x86_64 ro root=UUID=2c16235d-452c-4109-b93c-7b6e93795682 rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYTABLE=us rhgb quiet
       initrd /boot/initramfs-2.6.38-0.rc5.git1.1.fc15.x86_64.img

title Fedora w/ tboot (2.6.38-0.rc5.git1.1.fc15.x86_64)
       root (hd0,0)
       kernel /boot/tboot.gz logging=vga,serial,memory
       module /boot/vmlinuz-2.6.38-0.rc5.git1.1.fc15.x86_64 ro root=UUID=2c16235d-452c-4109-b93c-7b6e93795682 rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYTABLE=us rhgb quiet
       module /boot/initramfs-2.6.38-0.rc5.git1.1.fc15.x86_64.img
       module /boot/sinit.bin

Benefit to Fedora

Fedora will be capable to do trusted launch with tboot support. It will meet the increase needs for platform security.

Scope

Required steps are:

  1. UI to choose TXT/tboot support during installation.
  2. Scripts to install the tboot package and modify the bootloader cfg.

How To Test

  • It requires platforms supporting Intel TXT.
  • If selected during system installation UI, make sure the tboot package is installed and the bootloader config is changed to boot tboot as kernel and linux as module.

User Experience

User will find the tboot packge easier to install and use.

Dependencies

none

Contingency Plan

None necessary, revert to previous release behaviour.

Documentation

Release Notes

  • Trusted Boot (tboot) is an open source, pre- kernel/VMM module that uses Intel(R) Trusted Execution Technology (Intel(R) TXT) to perform a measured and verified launch of an OS kernel/VMM.

Comments and Discussion