LinuxCon ContainerCon CloudOpen China

Grub is a decent bootloader for many Linux distros that supports rich functionalities. Recent TrustedGRUB2 supports measured boot with TPM. It measures the integrity of booting process, generating a hash value that could be used for root-of-trust. On the other hand, UEFI defines secure boot, which checks the validity of the bootloader and kernel. Unfortunately, both have some limitations: measured boot lacks in enforcement mechanism, and secure boot doesn't give any provenance of integrity to use as root-of-trust. Secure boot+measured boot makes Linux booting harden. Secure boot will check the integrity of binary, with proper enforcement mechanism; measured boot will provide root-of-trust that measures the system integrity information to the post-boot software. This talk will review why and how the two booting processes (secure boot and measured boot) can be integrated with TrustedGRUB.