IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [trusted-boot]

29 questions
14
votes
1 answer

How are TPMs provisioned for Intel Trusted Execution Environment (TXT)?

For Intel TXT to work, the TPM must be provisioned. Intel provides some tools for doing this but many are protected by non-public login or an NDA. Many OEM platform vendors provision their boards and machines at manufacturing time so an end user…
Wilbur Whateley
  • 588
  • 6
  • 12
9
votes
2 answers

Android verified boot within the boot sequence

I'm interested in understanding the verified boot process in Android, yet I was unable to find insights about some properties of the process. From what I gathered so far I get that in Android devices the verified boot process is supported using…
DannyL
  • 201
  • 1
  • 3
9
votes
2 answers

Why does Chrome tell me this certificate is valid when it can't be verified?

Update: Now Chrome rejects this website for me. It seems the trusting is just cached somewhere? I guess this question isn't as interesting as I thought, but it'd be nice if someone could clarify it. Original question: I've disabled automatic…
user541686
  • 2,502
  • 2
  • 21
  • 28
6
votes
1 answer

How does ROCA affect Windows secure boot?

I've been doing some research on the Infineon vulnerability known as ROCA over the last few days. As I understand it, the vulnerability is present when a TPM running vulnerable firmware generates an RSA key. At that point, the public key can be used…
transportpoopmodule
  • 61
  • 1
3
votes
2 answers

Android boot sequence - verified boot security

After some research, my current understanding of Android's boot sequence (at least on a Qualcomm device) is as follows: PBL --> XBL (replaces SBL) --> Aboot --> Kernel PBL: Primary Boot Loader (sometimes called bootROM). First piece of code…
el_tigro
  • 694
  • 8
  • 14
3
votes
1 answer

Windows Secure Boot compromise: are fully-patched PCs vulnerable?

Are fully-patched (as of Aug. 10, 2016) Windows installs vulnerable to allowing self-signed early-boot malware to run- because of this ? If so, which versions of Windows are vulnerable. What in blazes is going on with this thing, technically?…
mostlyinformed
  • 2,715
  • 16
  • 38
2
votes
1 answer

Root of Trust - The general Mechanism of how RoT Authenticates higher levels of software

I've been reading many research articles about RoT - Root of Trust - for establishing a chained root of trust going up from BIOS to the Kernel. However, most of the article go briefly on how RoT works for different brands. A good article on RoT is…
Omar Jarkas
  • 21
  • 2
2
votes
1 answer

BeagleBoneBlack, TPM and uBoot

I'm using BBB in my project. I need to prevent any changes to the software running on it. I've been reading about uBoot and TPM. But if I understand everything correctly, this can't be implemented correctly, that is, in a really secure manner. I…
Jędrzej Dudkiewicz
  • 163
  • 5
2
votes
1 answer

With TPM how are the initial PCR values seeded with 'good' values?

I am trying to learn more about trusted boot / trusted platform modules and I understand about Platform Configuration Register (PCR) values being a measurement of a 'good' configuration signed by a key locked from access within the TPM chip. What I…
decodebytes
  • 131
  • 4
2
votes
0 answers

How is hardware based chain of trust implemented in practice for secure boot?

To do secure boot we need an immutable public key baked into the ROM. This key is used to sign the boot loader or the key used to sign the boot loader. I have these questions - Which code does this signature check? Is this code in the ROM? How is…
user220201
  • 893
  • 9
  • 22
2
votes
0 answers

Level of security TPM2.0

How secure is it to seal only to PCRs 0 and PCRs 2-7 with fTPM 2.0? My device does not support Intel TXT, so I am unable to extend the chain of trust to implement DRTM, and thus cannot use PCRs 17-22. Are the 7 PCRs that I'm sealing data to enough…
howcanIfindnem0
  • 41
  • 3
2
votes
1 answer

Differences between Intel TXT and Linux IMA

I understand that Intel TXT provides a Dynamic Root of Trust Measurement (DRTM). Does the Linux integrity measurement architecture do logically similar things? If not, what are the differences?
DaTaBomB
  • 635
  • 1
  • 6
  • 16
2
votes
1 answer

Chain of Trust Extension with TPM2.0

I am looking for a way to implement a trusted boot using a firmware TPM2.0 on Arch Linux. I am using TPM2.0-TSS, and tpm2-tools, however I cannot find a way to do this with tpm2-tools, as I do not believe it allows me to make any changes to the…
howcanIfindnem0
  • 41
  • 3
1
vote
1 answer

Is it possible to allow only a certain secure USB boot media to boot an UEFI system?

I want to restrict all USB boot media from my system, except for a certain USB boot drive that I declare secure via a certain key. Is this possible using UEFI/Secure Boot/TPM? Maybe via TPM? TPM gets a private key and checks if public key on USB…
JohnnyFromBF
  • 1,413
  • 4
  • 16
  • 23
1
vote
2 answers

TPM Endorsement Key usage in secure and trusted boot

Taking into account a Root of Trust in a device using a TPM. My understanding is that the bootloader, firmware, operating system, applications etc. are all verified on startup by validating signatures with the vendors public key. The TPM Endorsement…
Engineer999
  • 257
  • 1
  • 8
1
2