Explore a conference talk on TUX (Trust Update for Linux Kernel), a proposed solution to maintain up-to-date integrity of the pre-boot environment in Linux systems. Learn about the challenges posed by frequent security updates and how TUX addresses them by consolidating kernel repositories with Intel's Open CIT. Discover how TUX deploys kernels with updated integrity values as signatures and implements a secure bootloader for integrity verification during boot. Gain insights into the architecture of TUX, including its Integrity Manager, kernel update process, and remote attestation capabilities. Understand the concept of Trusted Secure boot (TS-Boot) and its integration with UEFI secure boot, Shim, and Cores Grub. Examine the use of TPM measurements and PCR-Verification in maintaining system trust. Watch a demo of TUX in action and engage in a discussion on the importance of managing integrity changes alongside system updates.
Updating Linux with TUX: Trust Update for Linux Kernel
Overview
Syllabus
Intro
Intel Trusted Execution Technology (TXT)
Open Cloud Integrity Technology (CIT) Intel's remote attestation solution
UEFI secure boot UEFI BIOS's Verified boot component
Threats!
Goals! To maintain integrity properly
Trusted Platform Module (TPM)
Shim and Grub Shim
Assumptions
TUX Architecture
Integrity Manager
Kernel update using TUX
Remote attestation with TUX
Trusted Secure boot (TS-Boot) Combination of UEFI secure boot, Shim, and Cores Grub
PCR-Verification
TPM measurements
Experiment
Demo
Discussion
Conclusion Integrity changes when update is conducted and thus it should be property managed along with updates
Taught by
Linux Foundation
Tags
Related Courses
-
Securing TPM Secrets in the Datacenter
-
Securing TPM Secrets with TXT and Kernel Signatures
-
Using the TPM NVRAM to Protect Secure Boot Keys in POWER9 OpenPOWER Systems
-
Implementing UEFI-based Secure Boot and OTA Updates for Embedded ARM Devices
-
Towards Measured Boot Out of the Box
-
TPM Security Enhancements to the Linux Kernel
