#608 F16Feature: Trusted Boot - http://fedoraproject.org/wiki/Features/Trusted_Boot
Closed None Opened 10 years ago by rbergero.

for 2011-06-15 FESCo meeting.


For what it is worth, I am strongly opposed to this feature, because it depends on a proprietary binary that cannot go into (and is not in) Fedora.

Replying to [comment:1 spot]:

For what it is worth, I am strongly opposed to this feature, because it depends on a proprietary binary that cannot go into (and is not in) Fedora.

Not that I disbelieve you (in fact I'm pretty sure I've heard that story before), but do you have a link to documentation to corroborate this? I've dug into it a bit but I'm lost in a maze of acronyms.

Replying to [comment:2 ajax]:

Replying to [comment:1 spot]:

For what it is worth, I am strongly opposed to this feature, because it depends on a proprietary binary that cannot go into (and is not in) Fedora.

Not that I disbelieve you (in fact I'm pretty sure I've heard that story before), but do you have a link to documentation to corroborate this? I've dug into it a bit but I'm lost in a maze of acronyms.

As what I stated in the latest feature page, server bios will have sinit binary built-in. For platforms which didn't have a built-in sinit, the tboot will simply turn back to just launch the kernel without any side impact. For the documentation about TXT, you could find on http://www.intel.com/technology/malwarereduction/index.htm, and the IntelĀ® TXT Software Development Guide(http://download.intel.com/technology/security/downloads/315168.pdf) should be able to show you details about what and how tboot does.

Feature is tentatively declined for F16, pending resolution of at least the following issues:
* Demonstration of functionality on unmodified shipping hardware with no user-installed binary blobs
* Consensus description from both Red Hat and Intel about what, exactly, is being implemented
* Resolving user interface issues in Anaconda (why present it at all, etc)
This list may not be exhaustive. For additional followup discussion please refer to the mailing list thread at http://lists.fedoraproject.org/pipermail/devel/2011-June/153307.html

Feature was again deferred for F16 at today's FESCO meeting, still waiting for grubby integration.

I am looking into how to make the grub change with grubby, and will have some discussion with grubby community.

Discussed with grubby owner. grubby already support to upgrade 1 level multiboot entry, what we may need to add is support for 2 level multiboot (tboot+xen+kernel case).

Discussed with Anaconda community. If FESCo could agree to include tboot in the default package set (I assume it means on released iso image), no objection from Anaconda to accept a patch to create multiboot entry for tboot if it is installed.

Approved in the 2011-07-18 FESCo meeting.

Login to comment on this ticket.

Metadata