about implementation of trusted grub and i think that that is what i'm looking for! i have few question to you about how does it works and how i have to use it! i am using Kubuntu, i have grub loader and the Intel Tpm chip version 1.2. the chip has already an Endorsement Key so i don't have to create it!
1st list of questions: the steps of your trusted grub are:
-after the reset, the processor loades the bios(question: in this step,does the cpu calls the tpm to measure the bios?? )
-bios execute the POST (Power On Self Test) to ensure that every components are ok, then measures the first part of grub, the stage 1 in the Master boot Of record,
(question: is the bios to call it or is the TPM that in the first step controls the stage 1 after the bios measurement ??)if it has the same digest as the one stored in the pcr 4 it passes the test, so the bios loades it and transfer the execution to it
-the stage 1 measures the digest of stage part 1 (why the stage 2 has two parts? i don't understand..) stored somewhere in the hard disk and if it is the same of the one stored in PCR 8 it passes the test and load it
-the stage 2 part 1 measures the stage 2 part 2 and if it pass the test it will be loaded and transfer the control to it
-stage 2 part 2 shows the different O.S. installed and let the user to select what he wants to load, after that it measures the sha1 of kernel of the selected S.O. with its initrd and modules (all together right?) and if it is the same of the one stored in PCR 14 it transfer control to the O.S.
-optional: stage 2 can measures the sha1 of some files that i
need to be trusted (example: /etc/passwd) and it compares the digest with the one stored in PCR 13 (and if i have more than 1 file it compares the digest of all files together with the one present in some PCR..which one? )
-trusted grub has finished
all these steps are repeated always at every boot? when does TPM ask the PubEk? and how does it use it? it uses to encrypt the sha1 result that is sent to the tpm? if so...the TPM decrypt the sha1 and compares it to the one that it has stored previously? what does it return? how Trusted grub understand that it's all ok?
how i have to store the sha1 of stage1, stage2 part1 part2 and so on.. in PCRs? when i have to do it? in the O.S. loaded with some application that can comunicate with the TPM to set up it?
i tried to install yout patch but i have the gcc 4.1 and the 3.4 installed, i red that i need the 3.X ... so... how i can use the gcc version 3.X?