On 07/02/2014 11:51 AM, Kevin O'Connor wrote:
On Wed, Jul 02, 2014 at 11:38:44AM -0400, Stefan Berger wrote:
This is a repost of a series of patches providing TPM support to SeaBIOS.
As an addition, this patch series now works on the Acer C720 Chromebook with limitations (S3 not getting invoked; no logging into TCPA table).
The patch series cleanly applies to a checkout of tags/rel-1.7.5.
The following set of patches add TPM and Trusted Computing support to SeaBIOS.
Thanks Stefan. Just to make sure I understand - at a very high-level
- the goal of the tcg bios is to take "measurements" of the firmware
so that an OS (or app) can verify that it isn't being run in a malicious sandbox (or at least, is running in the same environment that it was originally installed in)? That is, the OS can verify using cryptographic hashes that the same chain of system boot software is in use and thus no new malicious boot loader, option rom, etc. could be running. This is all assuming the BIOS itself is not attacked (because if the "S-CRTM" is compromised then an attacker could replay bogus measurements that an OS would be unable to distinguish). Am I correct?
Yes, that's the idea.