[opensuse-factory] New Package: TrustedGrub2
Hi All, In the past we used to provide trustedgrub package in conjuction with legacy grub to support the TPM device and also the measure boot process. But after we migrated from grub to grub2, we dropped trustedgrub support from YaST because it's configuration and setup no longer compatible with grub2 that provides general and unified process for us to setup bootloader on all supported architectures. Now that with TrustedGrub2 project it's back. :) And we can craft it with the same setup tools and configuration files from grub2 packages so that integration with existing system management tools like YaST become easy. The new package actually only contains it's i386-pc modules can be installed by grub2-install to your system plus some text (README, HOWTO etc) files as another package. More information at : https://github.com/Sirrix-AG/TrustedGRUB2 Thanks, Michael -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Fri, Mar 18, 2016 at 1:50 PM, Michael Chang <mchang@suse.com> wrote:
Hi All,
In the past we used to provide trustedgrub package in conjuction with legacy grub to support the TPM device and also the measure boot process. But after we migrated from grub to grub2, we dropped trustedgrub support from YaST because it's configuration and setup no longer compatible with grub2 that provides general and unified process for us to setup bootloader on all supported architectures.
Now that with TrustedGrub2 project it's back. :) And we can craft it with the same setup tools and configuration files from grub2 packages so that integration with existing system management tools like YaST become easy. The new package actually only contains it's i386-pc modules can be installed by grub2-install to your system plus some text (README, HOWTO etc) files as another package.
More information at : https://github.com/Sirrix-AG/TrustedGRUB2
It seems to be based still on beta2; any plans to rebase? Do you propose to replace grub2-i386-pc package with trusted grub2? -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Fri, 18 Mar 2016 12:45, Andrei Borzenkov wrote:
On Fri, Mar 18, 2016 at 1:50 PM, Michael Chang wrote:
Hi All,
In the past we used to provide trustedgrub package in conjuction with legacy grub to support the TPM device and also the measure boot process. But after we migrated from grub to grub2, we dropped trustedgrub support from YaST because it's configuration and setup no longer compatible with grub2 that provides general and unified process for us to setup bootloader on all supported architectures.
Now that with TrustedGrub2 project it's back. :) And we can craft it with the same setup tools and configuration files from grub2 packages so that integration with existing system management tools like YaST become easy. The new package actually only contains it's i386-pc modules can be installed by grub2-install to your system plus some text (README, HOWTO etc) files as another package.
More information at : https://github.com/Sirrix-AG/TrustedGRUB2
It seems to be based still on beta2; any plans to rebase?
Do you propose to replace grub2-i386-pc package with trusted grub2?
That woud be stupid, period. And shortsighted, flamewar inductive. Not everone using grub2-i386-pc wants the hassle of TPM related stuff. For me TrustedGRUB2 becomes really interesting when it supports UEFI and x86_64 als well as GPT. That is where the (industrial) world of today is. UEFI AND 64 Bit AND TPM is what is asked in the specs of many projects, not OR, and GPT is on the wishlist for many of them. ATM this is a forced selling point of M$ Windows. TrustedGRUB2 1.4.0 is (atm) limited to leagacy BIOS, mbr, 32 bit. Still, it is a very good start, and I'll keep an eye on that. - Yamaban. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Fri, Mar 18, 2016 at 01:05:42PM +0100, Yamaban wrote:
On Fri, 18 Mar 2016 12:45, Andrei Borzenkov wrote:
On Fri, Mar 18, 2016 at 1:50 PM, Michael Chang wrote:
Hi All,
In the past we used to provide trustedgrub package in conjuction with legacy grub to support the TPM device and also the measure boot process. But after we migrated from grub to grub2, we dropped trustedgrub support from YaST because it's configuration and setup no longer compatible with grub2 that provides general and unified process for us to setup bootloader on all supported architectures.
Now that with TrustedGrub2 project it's back. :) And we can craft it with the same setup tools and configuration files from grub2 packages so that integration with existing system management tools like YaST become easy. The new package actually only contains it's i386-pc modules can be installed by grub2-install to your system plus some text (README, HOWTO etc) files as another package.
More information at : https://github.com/Sirrix-AG/TrustedGRUB2
It seems to be based still on beta2; any plans to rebase?
Do you propose to replace grub2-i386-pc package with trusted grub2?
That woud be stupid, period. And shortsighted, flamewar inductive.
Well, that's true, and referring to this opening (WIP) pull request bascailly says pretty much by itself .. https://github.com/Sirrix-AG/TrustedGRUB2/pull/14
Not everone using grub2-i386-pc wants the hassle of TPM related stuff.
Agreed, and as long as it's forked code stream from upstream grub2 we'd better treat it separate loader type, and by sharing the same utils to minimize the efforts in the integration.
For me TrustedGRUB2 becomes really interesting when it supports UEFI and x86_64 als well as GPT.
Yes, UEFI is not supported and they have been looking contributors. https://github.com/Sirrix-AG/TrustedGRUB2/issues/15 About GPT support, it's not the TrustedGrub2 but the bios, by which the bootcode gets loaded and should be measured. Probably also put the measured partition table in pcr logs.
That is where the (industrial) world of today is.
UEFI AND 64 Bit AND TPM is what is asked in the specs of many projects, not OR, and GPT is on the wishlist for many of them.
Although TCG has published their own UEFI protocol spec long ago. It's easily oversighted as not released as part of offical UEFI spec, don't know why ..
ATM this is a forced selling point of M$ Windows.
I heard about that, and they seems to cerify TPM 2.0 not TPM 1.2 support, which is missing support in most linux distributions afaics. I do not have the details for how they would certify it but wouldn't be surpised it's an unwelcome thing for Linux or the entire FOSS world.
TrustedGRUB2 1.4.0 is (atm) limited to leagacy BIOS, mbr, 32 bit. Still, it is a very good start, and I'll keep an eye on that.
Thanks for your summary. Thanks, Michael
- Yamaban. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Fri, Mar 18, 2016 at 02:45:22PM +0300, Andrei Borzenkov wrote:
On Fri, Mar 18, 2016 at 1:50 PM, Michael Chang <mchang@suse.com> wrote:
Hi All,
In the past we used to provide trustedgrub package in conjuction with legacy grub to support the TPM device and also the measure boot process. But after we migrated from grub to grub2, we dropped trustedgrub support from YaST because it's configuration and setup no longer compatible with grub2 that provides general and unified process for us to setup bootloader on all supported architectures.
Now that with TrustedGrub2 project it's back. :) And we can craft it with the same setup tools and configuration files from grub2 packages so that integration with existing system management tools like YaST become easy. The new package actually only contains it's i386-pc modules can be installed by grub2-install to your system plus some text (README, HOWTO etc) files as another package.
More information at : https://github.com/Sirrix-AG/TrustedGRUB2
It seems to be based still on beta2; any plans to rebase?
The versioning is planned to follow TrustedGrub2 as vendor for those modules to falicitate communication if any such needs arise. The 1.4.0 is their latest release tag. Neverthelast We could send a pull request to them for bumping new version rebased on (incoming) beta3 of course.
Do you propose to replace grub2-i386-pc package with trusted grub2?
No. I think the plan is it will only be a replacement for legacy TrustedGrub1 that will get installed if integrated into YaST for platform supporting TPM and user explicitly as for it via a checkbox (default OFF). Thanks, Michael
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Mon, 2016-03-21 at 11:23 +0800, Michael Chang wrote:
On Fri, Mar 18, 2016 at 02:45:22PM +0300, Andrei Borzenkov wrote:
On Fri, Mar 18, 2016 at 1:50 PM, Michael Chang <mchang@suse.com> wrote:
Hi All,
In the past we used to provide trustedgrub package in conjuction with legacy grub to support the TPM device and also the measure boot process. But after we migrated from grub to grub2, we dropped trustedgrub support from YaST because it's configuration and setup no longer compatible with grub2 that provides general and unified process for us to setup bootloader on all supported architectures.
Now that with TrustedGrub2 project it's back. :) And we can craft it with the same setup tools and configuration files from grub2 packages so that integration with existing system management tools like YaST become easy. The new package actually only contains it's i386-pc modules can be installed by grub2-install to your system plus some text (README, HOWTO etc) files as another package.
More information at : https://github.com/Sirrix-AG/TrustedGRUB2
It seems to be based still on beta2; any plans to rebase?
The versioning is planned to follow TrustedGrub2 as vendor for those modules to falicitate communication if any such needs arise. The 1.4.0 is their latest release tag. Neverthelast We could send a pull request to them for bumping new version rebased on (incoming) beta3 of course.
Do you propose to replace grub2-i386-pc package with trusted grub2?
No. I think the plan is it will only be a replacement for legacy TrustedGrub1 that will get installed if integrated into YaST for platform supporting TPM and user explicitly as for it via a checkbox (default OFF).
Thanks, Michael
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
You might want to look at this repository. https://github.com/mjg59/grub This guy is a developer for coreos and has apparently modified grub2 to support uefi and maybe gpt. Bill -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
02.04.2016 04:35, Bill Merriam пишет:
You might want to look at this repository.
This guy is a developer for coreos and has apparently modified grub2 to support uefi and maybe gpt.
Amusing ... thank you for a good laugh in the morning :) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (4)
-
Andrei Borzenkov -
Bill Merriam -
Michael Chang -
Yamaban