This event has ended. Visit the official site or create your own event on Sched.
October 23-26, 2017 - Prague, Czech Republic
Click Here For Information & Registration
Back To Schedule
Tuesday, October 24 • 14:05 - 14:45
Making Trusted Boot Practical on Linux - Matthew Garrett, Google

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
TPMs can be used to record the state of the boot process, and that information can in turn be used to restrict access to secrets (such as disk encryption keys) in order to protect them against a compromised boot environment. Unfortunately this is easier said than done in Linux environments, as kernels are updated frequently and ramdisks are generated at install time. Keeping track of the expected values and ensuring that secrets aren't locked away from users becomes massively more difficult.

Thankfully, there is hope. A Microsoft-authored specification combines UEFI Secure Boot with TPM-based measured boot to reduce the number of individual measurements, making the problem much simpler. But the initramfs remains a problem. This presentation will cover the use of PCR 7 to provide TPM-based security without fragility, and propose solutions for handling trustworthy initramfs images.


Matthew Garrett

Staff Security Developer, Google
Matthew Garrett is a security developer at Google, working on infrastructural security for Linux desktop and mobile platforms.

Tuesday October 24, 2017 14:05 - 14:45 CEST
  LinuxCon Tracks