Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for measured boot only BootGuard profiles on Intel #327

Open
chrisccoulson opened this issue Aug 15, 2024 · 1 comment
Open

Add support for measured boot only BootGuard profiles on Intel #327

chrisccoulson opened this issue Aug 15, 2024 · 1 comment

Comments

@chrisccoulson
Copy link
Collaborator

chrisccoulson commented Aug 15, 2024
edited
Loading

The platform firmware protection checks make sure that BootGuard is configured in verified boot mode, which means that the firmware that executes has to be authenticated by an OEM key fused into the chipset by BootGuard. It also appears to have a measured boot profile (although it's not clear whether the tooling Intel supplies to OEMs supports enabling measured boot without verified boot), but we could add support for measured boot (with some restrictions on the type of devices this would be permitted on, to be elaborated on later). It would require the following changes:

  • checkPlatformFirmwareProtectionsIntelMEI would permit measured boot only as a valid configuration, and return some indicator that verified boot is not enabled.
  • checkPlatformFirmwareProtections would need to surface this.
  • The results returned by RunChecks would have a new flag to indicate that the platform firmware is not verified, but that it is measured.
  • The WithAutoPCRProfile option would add PCR0 to the policy if the supplied results indicate that verified boot is disabled.

Note that this would have an effect on some other, as yet undesigned, security related properties of the system - verified boot would obviously be required if a vendor wants a way to only permit a device to run only Ubuntu Core, rather than any generic operating system. Or if we want to go even further than that and provide a way to restrict the runtime code that can execute on a device to a set of snaps that are defined by the brand, or restrict a device to a specific model etc, so that a vendor can prevent arbitrary code and operating systems from running on their hardware if they desire this.
@chrisccoulson
Copy link
Collaborator Author

chrisccoulson commented Jan 16, 2025
edited
Loading

@kukrimate I can't assign you directly, but if you agree with the approach (particularly if it's limited only to firmware based TPMs), this looks like the kind of issue that you could address relatively easily if you want to (and I can help out re styles and approach to unit testing). Feel free to assign it to yourself if you'd like to have a go.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@chrisccoulson