I'd like to use the TPM to secure my boot process for my linux laptop. Any manual, howto or tutorial I have found about this topic mentions I have to use the TrustedGrub bootloader to keep up the trust chain. TrustedGrub, however, is not in the repositories of any major distribution, it is based on Grub1 so the number of file systems it can boot from is quite limited, and worst of all, it cannot boot from UEFI, so I simply cannot use it.
What I want to do is seal a passkey for unlocking an encrypted drive in the TPM.
The question on my mind is: do I really absolutely have to use TrustedGrub to use the TPM, or can I use another boot loader like Grub2, Shim, Gummiboot or whatelse is there? Does the bootloader actually matter which bootloader I choose?
3 Answers
It depends on your requirements. You can always access the TPM and perform sealing/unsealing operations.
But if you want a secure boot then you have only two options:
- Use a bootloader which is extending the chain of trust.
- Perform a late launch, for example with Intel's tboot and Intel TXT.
If you don't do either, you can't trust your platform configuration.
EDIT: On January 30th 2014, TBoot announced support for UEFI.
4In case of both, secure booting and trusted booting you need to get trusted grub. Trusted grub will measure the boot process. I am not aware of anything which is not using trusted grub.
You do not need to install or configure TrustedGRUB to use the TPM tools in Linux.
I experimented with the tools on my system and they worked without TrustedGRUB being installed, including sealing and unsealing files. You'd probably seal a file containing the key and then hook into an existing bootscript (or add a bootscript) to unseal the key and use it to run a cryptsetup luksOpen ... --key-file {your unsealed key on a tmpfs} or similar.
Of course, take ownership of the TPM and reboot first.