Can I use the TPM on linux without TrustedGrub?
It depends on your requirements. You can always access the TPM and perform sealing/unsealing operations.
But if you want a secure boot then you have only two options:
- Use a bootloader which is extending the chain of trust.
- Perform a late launch, for example with Intel's tboot and Intel TXT.
If you don't do either, you can't trust your platform configuration.
EDIT: On January 30th 2014, TBoot announced support for UEFI.
Related videos on Youtube
01 : 41
51 : 17
06 : 48
02 : 06
40 : 23
Peter
Updated on September 18, 2022Comments
-
Peter over 1 year
I'd like to use the TPM to secure my boot process for my linux laptop. Any manual, howto or tutorial I have found about this topic mentions I have to use the TrustedGrub bootloader to keep up the trust chain. TrustedGrub, however, is not in the repositories of any major distribution, it is based on Grub1 so the number of file systems it can boot from is quite limited, and worst of all, it cannot boot from UEFI, so I simply cannot use it.
What I want to do is seal a passkey for unlocking an encrypted drive in the TPM.
The question on my mind is: do I really absolutely have to use TrustedGrub to use the TPM, or can I use another boot loader like Grub2, Shim, Gummiboot or whatelse is there? Does the bootloader actually matter which bootloader I choose?
-
Peter almost 11 yearsNeither TrustedGrub nor tboot work on UEFI systems, so any advice on a bootloader extending the chain of trust?
-
Scolytus almost 11 yearsNone that I know of - sorry. Maybe you shoul look into UEFI's secure boot stuff...
-
Peter almost 11 yearsI would if I could, but sadly, no secure boot support on that system, just plain UEFI.
-
Scolytus almost 11 yearsWell, if you don't need any special UEFI functions you could try to use legacy/BIOS mode. But I haven't tried it nor do I know how the chain of trust would be built in this setup.
