On Wed, Jul 02, 2014 at 11:38:44AM -0400, Stefan Berger wrote:
This is a repost of a series of patches providing TPM
support to SeaBIOS.
As an addition, this patch series now works on the Acer C720 Chromebook
with limitations (S3 not getting invoked; no logging into TCPA table).
The patch series cleanly applies to a checkout of tags/rel-1.7.5.
The following set of patches add TPM and Trusted Computing support to SeaBIOS.
Thanks Stefan. Just to make sure I understand - at a very high-level
- the goal of the tcg bios is to take "measurements" of the firmware
so that an OS (or app) can verify that it isn't being run in a
malicious sandbox (or at least, is running in the same environment
that it was originally installed in)? That is, the OS can verify
using cryptographic hashes that the same chain of system boot software
is in use and thus no new malicious boot loader, option rom,
etc. could be running. This is all assuming the BIOS itself is not
attacked (because if the "S-CRTM" is compromised then an attacker
could replay bogus measurements that an OS would be unable to
distinguish). Am I correct?