has anyone implemented any sort of ‘secure boot’ using TPM 1.2 modules on the server boards using CentOS 6.x ? I’m not finding much concrete stuff on how to setup and manage a system like this, but I’ve been asked to research it for a security application internally at my job.
our primary application for the TPM is for client authentication certificates in an SSL application (the machine with the TPM is an unmanned embedded client, that accesses webservices on a remote server which needs to authenticate this client). We’ve already done similar client authentication using USB Tokens, but would like to use TPM for this in the future. I think the client authentication part is pretty straight forward, using Trousers and so forth and PKCS#11 to access the keys.
Once we get the client authentication side working, we’d like to also secure the OS itself to prevent tampering, presumably using trusted grub and such?
is this typically used in conjunction with disk encryption such that the TPM module supplies the decryption keys? does linux have any concept of signed executables, kernel, and so forth? would replacing the RPM
keys with keys signed by our own certificate authority such that the TPM
would be involved in RPM authentication be practical? (yes, I know, this would mandate using a private yum repository, and building/signing all our own system components).
I realize this will greatly complicate system management, security is always a tightrope act.