Announcement

Collapse
No announcement yet.

Trenchboot Secure Launch Support For Linux Sees New Patches

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Trenchboot Secure Launch Support For Linux Sees New Patches

    Phoronix: Trenchboot Secure Launch Support For Linux Sees New Patches

    For a while now Oracle engineers and others have been working on Trenchboot as a means of secure launch/boot support when paired with the likes of Intel TXT and AMD SKINIT for trusted execution and configuring each piece of the software boot chain for trusted/secure handling. The latest kernel patches have been sent out for review for secure launching of the kernel...

    http://www.phoronix.com/scan.php?pag...-Linux-Patches

  • #2
    I just dream of some 1GB tamper-resistant flash on the motherboard that is hard-coded as EFI partition, open-readable, writeable with password and auto-zeroing on hardware/firmware tampering.

    Comment


    • #3

      Hey it's from oracle... I trust it 100% :P
      I mean besides the thing about commercial license for java taking over mysql and lawsuit against google/android they're otherwise friends of freedom.

      Comment


      • #4
        Originally posted by mb_q View Post
        I just dream of some 1GB tamper-resistant flash on the motherboard that is hard-coded as EFI partition, open-readable, writeable with password and auto-zeroing on hardware/firmware tampering.
        Actually this is not something that far-fetched. Check these out https://istorage-uk.com/product-cate...-flash-drives/
        Of course these are not exactly what you described, but we only need some vendor to implement read-only without entering pin and making it writable after pin is entered and that would be perfect. Im using this flash drive for luks key storage.

        Originally posted by onlyLinuxLuvUBack View Post
        Hey it's from oracle... I trust it 100% :P
        I mean besides the thing about commercial license for java taking over mysql and lawsuit against google/android they're otherwise friends of freedom.
        Nobody is in business of trusting oracle. Instead we either trust source code or do not. Who it comes from is irrelevant and counter-productive.

        Comment


        • #5
          The name Trenchboot really reminds me of "trench foot" made famous from WWI when feet were left in wet boots for too long and got all diseased and disfigured. Trench foot was caused by the trenches holding water and feet always being wet. Don't Google that term, images are on the nasty side. Seriously, y'all have been warned.

          But, name aside, this actually sounds useful. Though it being tied to Oracle has me skeptical about it. Java, Solaris, ZFS, and all...

          TrenchBoot is a framework that allows you to build a Linux kernel with a tailored, embedded initramfs that functions as an intermediate loader to launch your system. You will need to use the build system to select the security engine components you desire, provide any necessary configurations, and build an instance of the loader. After that, you configure your system boot to launch the loader.
          My first thought is wondering if something like OpenZFS could leverage that

          mb_q That would be nice. Even a dedicated internal USB port for that function would work.

          Comment


          • #6
            Originally posted by bitman View Post
            Actually this is not something that far-fetched. Check these out https://istorage-uk.com/product-cate...-flash-drives/
            Of course these are not exactly what you described, but we only need some vendor to implement read-only without entering pin and making it writable after pin is entered and that would be perfect. Im using this flash drive for luks key storage.
            Not a fan of proprietary security, I would use this https://www.f-secure.com/en/consulti...dry/usb-armory
            that since is using a Linux-based OS you can configure it to show itself as a read-only mass storage too https://www.kernel.org/doc/html/late...s-storage.html

            also skeevy420

            Comment


            • #7
              I wouldn't want anything coming from Oracle.
              I also don't trust Intel or AMD to be able to make anything secure on x86, because I don't think it is possible to make a x86 system secure, I think x86 is too crappy.
              I also think all of these secure boot things are to let companies execute software on your device without the user being able to have control of it.

              Comment

              Working...
              X