From Fedora Project Wiki

No edit summary
No edit summary
Line 18: Line 18:


     tpm_takeownership -z
     tpm_takeownership -z
Download the proper tboot.gz file for your architecture. Place it in /boot/tboot.gz


'''Step 2'''
'''Step 2'''
Line 26: Line 28:


     tb_polgen --create --type nonfatal vl.pol
     tb_polgen --create --type nonfatal vl.pol
Add the kernel hash / grub command to our VLP
    tb_polgen --add --num 0 --pcr 18 --hash image --cmdline "$grub_cmdline" --image $kernel_file vl.pol
Add the initramd to VLP
    tb_polgen --add --num 1 --pcr 19 --hash image --cmdline "" --image $initramd_file vl.pol
Hash tboot.gz
    lcp_mlehash -c "logging=vga,serial,memory" /boot/tboot.gz > mle_hash
    lcp_crtpolelt --create --type mle --ctrl 0x00 --minver 17 --out mle.elt mle_hash
Find your system's pcr values. They may alternatively be in /sys/bus/pnp/devices/00:0a/pcrs
    cat /sys/devices/platform/tpm_tis/pcrs | grep -e PCR-00 -e PCR-01 > pcrs





Revision as of 14:16, 21 June 2012

Introcuction

Trusted Boot is a technique...

Prerequisites

yum install tboot

yum install openssl

Installation

The following will provide a trusted boot setup with checksums on the initramd and kernel.

Step 1

Take ownership of the TPM

   tpm_takeownership -z

Download the proper tboot.gz file for your architecture. Place it in /boot/tboot.gz

Step 2

In order to create a VLP we need the path to the initial ram disk and kernel, as well as the kernel line in grub.conf.

Create a new verified launch policy.

   tb_polgen --create --type nonfatal vl.pol

Add the kernel hash / grub command to our VLP

   tb_polgen --add --num 0 --pcr 18 --hash image --cmdline "$grub_cmdline" --image $kernel_file vl.pol

Add the initramd to VLP

   tb_polgen --add --num 1 --pcr 19 --hash image --cmdline "" --image $initramd_file vl.pol

Hash tboot.gz

   lcp_mlehash -c "logging=vga,serial,memory" /boot/tboot.gz > mle_hash
   lcp_crtpolelt --create --type mle --ctrl 0x00 --minver 17 --out mle.elt mle_hash

Find your system's pcr values. They may alternatively be in /sys/bus/pnp/devices/00:0a/pcrs

   cat /sys/devices/platform/tpm_tis/pcrs | grep -e PCR-00 -e PCR-01 > pcrs


Notes

We may need to modprobe tpm --force=1