[prev in list] [next in list] [prev in thread] [next in thread] 

List:       qubes-devel
Subject:    Re: [qubes-devel] CoreBoot + Qubes on thinkpad x230
From:       Trammell Hudson <hudson () trmm ! net>
Date:       2016-07-26 18:26:47
Message-ID: 20160726182647.GK16348 () chishio ! swcp ! com
[Download RAW message or body]

On Mon, Jul 25, 2016 at 11:11:07AM +0200, Joanna Rutkowska wrote:
> One question out of curiosity: how did you verify the
> authenticity/integrity of your coreboot clone? I just
> cloned the repo also, but I see 1) no signed tags, nor 2)
> signed commits?

That's a good question.  I've also built the CoreBoot 4.4
release and verified their signature on the tar file, but
that doesn't mean the tree is unmodified.

In better news, I have figured out why Xen won't start from
kexec on a Linux CoreBoot payload.  Sometime between 3.1.0
and 3.1.3 they added numerous dependencies on the BIOS and
EBDA structures for initializing the VGA console as well as
figuring out where to stash pre-boot data.

I forward ported the 3.1.0 xen/drivers/video/vga.c to 4.6.3
and modified xen/arch/x86/boot/trampoline.S to not make any
real mode calls, and modified xen/arch/x86/boot/head.S to 
use the Multiboot lower memory pointer for the trampoline
segment.

Now my x230 boots Coreboot, which starts the Linux payload,
which will be able to bring up the TPM and establish the
root of trust from inside the ROM, authenticate to the
user via tpmtotp, unseal the disk encryption keys, measure
the Xen payload and configuration before calling kexec()
on it, etc.

-- 
Trammell

-- 
You received this message because you are subscribed to the Google Groups \
"qubes-devel" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to qubes-devel+unsubscribe@googlegroups.com. To post to this group, \
send email to qubes-devel@googlegroups.com. To view this discussion on the web visit \
https://groups.google.com/d/msgid/qubes-devel/20160726182647.GK16348%40chishio.swcp.com.
 For more options, visit https://groups.google.com/d/optout.


[prev in list] [next in list] [prev in thread] [next in thread]