Hi Tedi,
Do I need to do anything to make those packages functionaly working in 11.2 ?
Well, at least the base Trusted Computing packages are there, already, and they should work in most configurations. Deinstall grub and install trustedgrub, install this bootloader and have a look at the PCRs after boot, observe them changing with the measurables, and play with the tpm-tools.rpm. Some of the packages on the build service may require some tweaking to get them running - not because they are faulty, but because their purpose can only be leveraged if their values are included and introduced into the reasons, why you would start playing around with the technology in the first place. In other words: At first glance, the effects that you will observe are not that amazing at all, they even seem boring. But what are the consequences of a hash that changes each time you boot, and that doesn't change any more if you boot read-only? What happens if you encrypt the key for your encrypted storage with a mask of PCR contents (remember Microsoft's BitLocker feature?)? While we're at it: Have a look at the packages tud-villach, the ibm-compmgr (Compartment Manager), hp-vnet (ipsec/VPN routing engine for xen's dom0), libvirt (that's the TVD (Trusted Virtual Domain) enabled package), the l4 support packages if you're interested in L4, and vgallium, if you care about the Gallium graphics architecture. Some of the packages may be very complicated and complex to handle (l4, vgallium, hp-vnet), some a little easier (villach, compmgr). But same as above: Get an overview, find out what you want to do, and use what's there. What's possible to do (incomplete list): a) sealing b) (remote) attestation c) based on a and b: CC@H usage scenario (Corporate Computing at Home; Xen machine at home has some measured domains running where the expected measurement will grant access to the corporate network, while other VMs are not measured and don't have access to the corporate network. Proof of Concept Prototype of the 2nd year of OpenTC.) d) based on a, b, c: VDC usage scenario (Virtual Data Center: A cloud computing customer can only see his own VMs because the access to the VPN connecting his VPNs is only granted if the (TPM-sealed) credential is in place (called TVD, Trusted Virtual Domain). He can then use his administrative interface with libvirt on the backend. Proof of Concept Prototype of the 3rd year of OpenTC.).
actively. The system that is booting is being measured (eg a hash is created and stored in the TPM's PCRs (Platform Configuration Register) for consumption at a point in time later. You'll find hashes from bios, boot loader (trustedgrub) and grub-bootables in /sys/devices/*/*/pcrs if the kernel module/driver for the tpm on your system has loaded. but apart from sealing functions the TPM doesn't do anything unless you ask it to. Is this the default functionality in 11.2 ?
Negative. TC is not enabled by default, and since the value that it creates can only be leveraged many layers of abstraction beyond the startup procedures of a PC system, it shouldn't, as this wouldn't make sense.
Thank you very much
Oh, no worries. If there are more questions about it, the meaning of TC itself or its uses for Linux in particular, or Open Source in general, please, go ahead, ask (my experience is that questions about TC that seem dumb at start will very soon turn out to be non-trivial!), discuss, dispute, claim, correct and be corrected - get loud. This is the right place. Thanks for the resonance, Roman. -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org