5

I am currently working with Ubuntu 16.04 , with an Intel CPU that supports TPM2 module.

I am trying to harden my boot-loader, i tried using trustedgrub2 fork that supports TPM2 , i understand that trustedgrub2 currently does not support UEFI BIOS so i switched to UEFI-CSM which should emulate the legacy BIOS , unfortunately after installing trustedgrub , the system still boots with the GRUB2.

I also tried using tboot , but it seems that there is almost no documentation to be found anywhere.

My questions are , is there any good tutorial for using/installing trustedgrub2? or maybe is there any alternative to the options above to make the boot process more secure?

Thanks!

mmelamud
  • 51
  • 1
  • 2

2 Answers2

1

Ubuntu supports Secure Boot. This requires UEFI-only mode. Please disable CSM. The TPM can be used by the Linux Integrity Measurement Architecture.

From what i've been reading, still some works needs to be done.

1

Here are the steps to run tboot:

Enable EFI booting mode in BIOS setup menu, enable VT-x, VT-d, TPM ,TXT in BIOS setup menu, save and exit
apt-get update
apt-get install tpm-tools
apt-get install mercurial
hg clone http://hg.code.sf.net/p/tboot/code tboot-code
cd tboot-code/tboot
make install
cd ../utils
make install
copy your /sbin/init to /boot
grub-mkconfig -o /boot/grub/grub.cfg
reboot
select tboot from grub boot menu
login as root
run txt-stat, after booting into ubuntu

Taken from here: https://sourceforge.net/p/tboot/wiki/Home/

Actually, on Ubuntu 18.04.1 it works like that:

sudo txt-stat | grep TRUE 
    senter_done: TRUE
    private_open: TRUE
    locality_1_open: TRUE
    locality_2_open: TRUE
    secrets: TRUE
    lock: TRUE
TXT measured launch: TRUE
secrets flag set: TRUE
TBOOT: TPM nv_locked: TRUE
TBOOT: TPM nv_locked: TRUE
odo
  • 692
  • 4
  • 6