TPM And Secure Boot

Home » CentOS » TPM And Secure Boot
CentOS 4 Comments

has anyone implemented any sort of ‘secure boot’ using TPM 1.2 modules on the server boards using CentOS 6.x ? I’m not finding much concrete stuff on how to setup and manage a system like this, but I’ve been asked to research it for a security application internally at my job.

our primary application for the TPM is for client authentication certificates in an SSL application (the machine with the TPM is an unmanned embedded client, that accesses webservices on a remote server which needs to authenticate this client). We’ve already done similar client authentication using USB Tokens, but would like to use TPM for this in the future. I think the client authentication part is pretty straight forward, using Trousers and so forth and PKCS#11 to access the keys.

Once we get the client authentication side working, we’d like to also secure the OS itself to prevent tampering, presumably using trusted grub and such?

is this typically used in conjunction with disk encryption such that the TPM module supplies the decryption keys? does linux have any concept of signed executables, kernel, and so forth? would replacing the RPM
keys with keys signed by our own certificate authority such that the TPM
would be involved in RPM authentication be practical? (yes, I know, this would mandate using a private yum repository, and building/signing all our own system components).

I realize this will greatly complicate system management, security is always a tightrope act.

4 thoughts on - TPM And Secure Boot

  • TPM is not the same as the new secureboot UEFI BIOS stuff. this is an optional module (tamperproofed so if its unplugged, it erases) on most server motherboards, you initialize it with your OWN security keys if you want to use it, Microsoft has nothing to do with it. TPM has been around since 2006 or earlier.

  • so basically, you’re saying you can’t use a TPM to secure a linux system? hey, saves me a lot of work. I’ll tell my boss it can’t be done.

  • The comment that the complete chain of trust is more or less impossible on a opensource system without make any 3rd party kernel module completly impossible” is complete and utter bullshit, within the real that ANYTHING can be a “complete chain of trust” in OpenSource or closed source. OpenSource has no disadvantage (and some advantages – peer review and support) in this arena. Cryptographers accept that the security of a crypto system does NOT depend on the secrecy of the algorithm but only upon the secrecy of the keys (private or shared). Anyone telling you otherwise has something to sell you.

    You might review Joanna (little miss blue pill) Rutkowska’s work on the
    “anti evil maid” to counter the “evil maid attack” against encrypted drives. If you wish to secure a system using TPM, this would be the place to start.

    Regards, Mike

  • As seen on LWN
    Matthew Garrett has been messing with TPM again

    You can secure a Linux system Quite well using TPM, but it takes work and you need to know the capabilities of your TPM chip… Matthew Garrett indicated that they are not all loaded the same. For the purposes of doing ssl, I am wondering if you need the Endorsement Key (EK), which Matt indicated some chips don’t have. I know you *can* get a system all the way through booting from tpm using trusted grub and tpm-luks. Matt indicated that “The Linux kernel has support for measuring each binary run or each module loaded and extending PCRs accordingly”, so you can go deeper.

    Even when this disclaimer is not here:
    I am not a contracting officer. I do not have authority to make or modify the terms of any contract.