Bug#846383: grub2: add TPM support
Vincent Bernat
bernat at debian.org
Sat Aug 21 19:42:26 BST 2021
❦ 21 August 2021 17:45 +01, Colin Watson:
>> > We think that TPM support is a good addition to Debian because it can increase
>> > its adoption in environments where a more secure approach to the booting is
>> > needed, by being able to securely measure if any component has been
>> > tampered.
>>
>> It seems that Grub in Debian has now TPM support as there is a tpm.mod
>> shipped with Grub. Manual here:
>> https://www.gnu.org/software/grub/manual/grub/html_node/Measured-Boot.html
>>
>> The documentation suggests the module should be builtin. If not, it is a
>> bit unknown what can happen. Maybe the tpm.mod itself can be tampered?
>>
>> Would it be possible to have the module builtin for GRUB UEFI (where
>> the size does not matter)?
>
> It already is, in bullseye:
>
> grub2 (2.04-18) unstable; urgency=medium
>
> [ Steve McIntyre ]
> * Enable the shim_lock and tpm modules for i386-efi too. Ensure that
> tpm is included in our EFI images.
> [...]
>
> -- Colin Watson <cjwatson at debian.org> Sun, 25 Apr 2021 16:20:17 +0100
>
> Do we think that's enough to close this bug?
Does this mean it's inside "core.efi"? I think this is not the case:
there is a "tpm.mod" file and "strings core.efi | grep tpm" does not
return any result. But maybe it's easy for a user to build a core.efi
with the module added? Some users may like core.efi to be signed, but
that's not my case.
--
Consider well the proportions of things. It is better to be a young June-bug
than an old bird of paradise.
-- Mark Twain, "Pudd'nhead Wilson's Calendar"
More information about the Pkg-grub-devel
mailing list