[opensuse-security] OpenTC
I just read the following article : http://www.physorg.com/print177931452.html The article mention that openSUSE 11.2 is offering full TC (Trusted Computing) support. I would like to know where can I find more documentation about this in openSUSE. Thank you -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Hi Tedi,
I just read the following article : http://www.physorg.com/print177931452.html
The article mention that openSUSE 11.2 is offering full TC (Trusted Computing) support.
I would like to know where can I find more documentation about this in openSUSE.
Thank you
theoretically, all of the packages that the opentc project has been working on are available at http://download.opensuse.org/repositories/security:/OpenTC/openSUSE_11.1/ . If you have a build service account, go to http://download.opensuse.org/repositories/security:/OpenTC/openSUSE_11.1/ . That's quite a number of packages. Most of what the OpenTC project did has to do with the creation of images that were booted in a Xen or L4 hypervisor to do some job. For these images, the packages from the repository were used. All of the basic trusted computing packages are contained in 11.2, most notably the trousers package and trustedgrub. And you shouldn't need to go to the security:/OpenTC/ repo. (Besides, 11.2 is not turned on. I have just added it, but some packages may not build there.) More about opentc can be found at www.opentc.net, specifically the docs about the Proof of Concept prototypes (PET == Private Electronic Transactions; CC@H == Corporate Computing at Home; TDC == Trusted Data Center). Be aware that Trusted Computing technology doesn't really do very much actively. The system that is booting is being measured (eg a hash is created and stored in the TPM's PCRs (Platform Configuration Register) for consumption at a point in time later. You'll find hashes from bios, boot loader (trustedgrub) and grub-bootables in /sys/devices/*/*/pcrs if the kernel module/driver for the tpm on your system has loaded. but apart from sealing functions the TPM doesn't do anything unless you ask it to. Yet, the derived functionality can be very meaningful - and powerful. The packages that are available from the build service are ready for enterprise use; keep in mind that this is exactly the usage scenario that Trusted Computing Technology was designed for right from the start. Thanks, Roman. -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Hi Roman, Thank you very much for your reply. --- On Tue, 11/24/09, Roman Drahtmueller <draht@suse.de> wrote:
Most of what the OpenTC project did has to do with the creation of images that were booted in a Xen or L4 hypervisor to do some job. For these images, the packages from the repository were used. All of the basic trusted computing packages are contained in 11.2, most notably the trousers package and trustedgrub. And you shouldn't need to go to the security:/OpenTC/ repo. (Besides, 11.2 is not turned on. I have just added it, but some packages may not build there.) Do I need to do anything to make those packages functionaly working in 11.2 ?
actively. The system that is booting is being measured (eg a hash is created and stored in the TPM's PCRs (Platform Configuration Register) for consumption at a point in time later. You'll find hashes from bios, boot loader (trustedgrub) and grub-bootables in /sys/devices/*/*/pcrs if the kernel module/driver for the tpm on your system has loaded. but apart from sealing functions the TPM doesn't do anything unless you ask it to. Is this the default functionality in 11.2 ?
Thank you very much -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Hi Tedi,
Do I need to do anything to make those packages functionaly working in 11.2 ?
Well, at least the base Trusted Computing packages are there, already, and they should work in most configurations. Deinstall grub and install trustedgrub, install this bootloader and have a look at the PCRs after boot, observe them changing with the measurables, and play with the tpm-tools.rpm. Some of the packages on the build service may require some tweaking to get them running - not because they are faulty, but because their purpose can only be leveraged if their values are included and introduced into the reasons, why you would start playing around with the technology in the first place. In other words: At first glance, the effects that you will observe are not that amazing at all, they even seem boring. But what are the consequences of a hash that changes each time you boot, and that doesn't change any more if you boot read-only? What happens if you encrypt the key for your encrypted storage with a mask of PCR contents (remember Microsoft's BitLocker feature?)? While we're at it: Have a look at the packages tud-villach, the ibm-compmgr (Compartment Manager), hp-vnet (ipsec/VPN routing engine for xen's dom0), libvirt (that's the TVD (Trusted Virtual Domain) enabled package), the l4 support packages if you're interested in L4, and vgallium, if you care about the Gallium graphics architecture. Some of the packages may be very complicated and complex to handle (l4, vgallium, hp-vnet), some a little easier (villach, compmgr). But same as above: Get an overview, find out what you want to do, and use what's there. What's possible to do (incomplete list): a) sealing b) (remote) attestation c) based on a and b: CC@H usage scenario (Corporate Computing at Home; Xen machine at home has some measured domains running where the expected measurement will grant access to the corporate network, while other VMs are not measured and don't have access to the corporate network. Proof of Concept Prototype of the 2nd year of OpenTC.) d) based on a, b, c: VDC usage scenario (Virtual Data Center: A cloud computing customer can only see his own VMs because the access to the VPN connecting his VPNs is only granted if the (TPM-sealed) credential is in place (called TVD, Trusted Virtual Domain). He can then use his administrative interface with libvirt on the backend. Proof of Concept Prototype of the 3rd year of OpenTC.).
actively. The system that is booting is being measured (eg a hash is created and stored in the TPM's PCRs (Platform Configuration Register) for consumption at a point in time later. You'll find hashes from bios, boot loader (trustedgrub) and grub-bootables in /sys/devices/*/*/pcrs if the kernel module/driver for the tpm on your system has loaded. but apart from sealing functions the TPM doesn't do anything unless you ask it to. Is this the default functionality in 11.2 ?
Negative. TC is not enabled by default, and since the value that it creates can only be leveraged many layers of abstraction beyond the startup procedures of a PC system, it shouldn't, as this wouldn't make sense.
Thank you very much
Oh, no worries. If there are more questions about it, the meaning of TC itself or its uses for Linux in particular, or Open Source in general, please, go ahead, ask (my experience is that questions about TC that seem dumb at start will very soon turn out to be non-trivial!), discuss, dispute, claim, correct and be corrected - get loud. This is the right place. Thanks for the resonance, Roman. -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (2)
-
Roman Drahtmueller -
Tedi Heriyanto