Measured Boot Support Is Heading To Coreboot
Coreboot/LinuxBoot developer Philipp "_zaolin_" Deppenwiese has been working on the measured boot support for Coreboot's vboot (verified boot) component to enhance the verification/trust steps around the boot process; Vboot is most notably used by Google for verification purposes on Chromebooks.
Interested in transparent #TPM measurements at firmware level with @TrustedComputin technology?! Take a peek at @coreboot_org firmware with the new trusted boot integration (https://t.co/CeoTiy1V4T). Feel free to get in contact with us via @9eSec pic.twitter.com/raBIghkhYc
— Zaolin (@_zaolin_) February 25, 2019
Deppenwiese sent out the patches adding the measured boot mode to Coreboot's vboot, TCPA fixes, and other bits.
Measured boot is somewhat similar to Secure Boot and ends up exposing a set of hashes (or the "measurements" of the chain of objects encountered in the boot process) accessible to the operating system that can be used to verify the boot process. Measured boot comes down to the recording/handling of these hashes and doesn't halt or otherwise inhibit usage of the system on any conditions, unlike UEFI Secure Boot if hitting non-signed code, and is also rather open about the measurements. Once booted, the operating system or other component can then compare the measured boot hashes/values against the "golden values" stored securely elsewhere for determining if the system is in a trustworthy state. With this measured boot implementation for Coreboot vboot, the boot measurements/hashes can be obtained from the CBMEM buffer and kernel drivers running on the system reading the Coreboot tables.
Some additional details on this measured boot implementation can be found via the documentation.