On 02/04/2017, Todd Weaver todd@puri.sm wrote:
On 04/01/2017 04:55 PM, Trammell Hudson wrote:
On Sat, Apr 01, 2017 at 07:43:40PM +0000, ron minnich wrote:
For a payload chooser and such I can offer two options:
- petitboot has a boot menu type thing
- u-root (u-root.tk) is going to have a boot menu type thing, as we've
been asked to do one.
Heads is coming along in usability and has a strong focus on securing the boot process through TPM measurement and using the flash security features.
One of the three reasons we are including TPM in hardware is because of your great talk at 33c3 on Heads! But I failed to see that it offered "boot menu type thing"
It fits the 4.9.20 Linux kernel + initrd into 4 MB, including all of the crypto, networking and other features. The eventual user kernel (or Xen hypervisor and dom0 kernel) are GPG verified and invoked via kexec for a slightly more secure, legacy free boot process.
So this is referring more about "linux payload" than "boot menu type thing" correct? [...]
What we are looking at is to include or develop a solution that accomplishes these goals:
- allows us to skip most of vbios (but sounds like still needs the VBT)
- deliver a payload that has a path toward securing the boot process
(e.g. Heads) 3) deliver a payload that can still offer a user to install their own OS (thus allowing user-configuration and control)
Presumably petitboot, u-root, or another "boot menu type thing" could be included in Heads? This would seem to be the best outcome.*
Whether that would still fit into 4MB is another matter, but it seems worth a try. Even 8MB or 12MB would make it usable on some existing motherboards without the need to desolder anything.
I look forward to seeing what emerges from your (hopeful) collaboration!
* Formal verification of all this would be even better, but that's probably several years in the future :)