Re: A _good_ and valid use for TPM

[Jan Alsenz]

Robert Millan wrote:
> On Fri, Feb 20, 2009 at 03:03:04AM +0200, Alex Besogonov wrote:
>> On Fri, Feb 20, 2009 at 2:29 AM, Jan Alsenz <address@hidden> wrote:
>> [skip]
>>>        The TPM can proof to another party, that the PCRs have certain 
>>> values (of
>>> course the communication needs to be established by normal software running 
>>> on
>>> the machine)
>> Yes, I'm trying to do remote attestation.
> 
> You're confusing things.  I think you simply want to ensure data integrity, 
> and
> the TPM doesn't even do that: it simply puts the problem in hands of a third
> party.
> 
> "remote attestation" is only useful when you want to coerce others into
> running your (generaly proprietary) software.  I hope this is not what you
> want to do.
Yes, this is exactly what he tries do to: convince his keyserver, that the
requesting server runs, what it's supposed to.

Which is exactly remote attestation, just in this case he controls both sides,
which I think makes it an interesting use of the technology.


>>>> First, I don't think it's possible to implement SHA-1 hashing in MBR -
>>>> there's probably just not enough space left in 512-byte code segment
>>>> for that.
>>> I am very sure of that.
>> Well, I spoke phcoder on Jabber - there might be a way to do this.
>> He's going to investigate it.
> 
> This is unnecessary.  Once GRUB supports crypto, it can simply load
> itself from an encrypted filesystem on disk.  An image can be of
> arbitrary size.
Ok, but where does it get the key from?
And how can wherever the key comes from be sure that it's talking to GRUB?

Greets,

Jan

signature.asc
Description: OpenPGP digital signature