[Ksummit-discuss] [TOPIC] Secure/verified boot and roots of trust

Kees Cook keescook at chromium.org
Thu Aug 4 05:26:29 UTC 2016


On Wed, Aug 3, 2016 at 4:22 PM, Andy Lutomirski <luto at amacapital.net> wrote:
> On Wed, Aug 3, 2016 at 4:01 PM, Ben Hutchings <ben at decadent.org.uk> wrote:
>> On Wed, 2016-08-03 at 09:46 -0700, Andy Lutomirski wrote:
>> [...]
>>> And it gets rid of the IMO extremely nasty temporary key.  I
>>> personally think that reproducible builds would add considerable value
>>> to many use cases, and we currently can't simultaneously support
>>> reproducible builds and Secure Boot without a big mess involving
>>> trusted parties, and the whole point of reproducible builds is to
>>> avoid needed to trust the packager.
>> [...]
>>
>> You need that trusted party to supply a signature for the kernel, so
>> why is it so much worse to have them do that for the modules as well?
>>
>
> For Chromium-like setups, I don't think the kernel is signed as such
> -- it's verified (by hash?  by loading from trusted storage?) and
> executed.

The kernel (and command line) are in a single partition with a signed
hash which the bootloader verifies before running the kernel.

-Kees

-- 
Kees Cook
Brillo & Chrome OS Security


More information about the Ksummit-discuss mailing list