[148189] in cryptography@c2.net mail archive
Re: [Cryptography] programable computers inside our computers (was:
daemon@ATHENA.MIT.EDU (Steve Weis)
Sat Nov 16 15:51:06 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <CA+cU71nKu+CgbkTusufK=qpcjWJFBuNR7kjf_jdeW5=rMqzvTg@mail.gmail.com>
From: Steve Weis <steveweis@gmail.com>
Date: Fri, 15 Nov 2013 11:00:53 -0800
To: Tom Ritter <tom@ritter.vg>
Cc: Jerry Leichter <leichter@lrw.com>, John Ioannidis <ji@tla.org>,
cryptography <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Fri, Nov 15, 2013 at 8:02 AM, Tom Ritter <tom@ritter.vg> wrote:
> Also, I believe TPM 2.0 includes remote attestation. Clearly this
> could be abused, and probably will be, but I'm also interested in
> applicability in scenarios where the queryier and attestor are in
> cooperation. I'd love to query cryptocat's servers and verify they are
> running a particular system build without modification.
> ...
Was there a question that remote attestation would be removed from TPM
2.0? I assumed it would continue to be included, but perhaps I'm
wrong.
Remote attestation works on TPM 1.2 with TXT as you describe. You can
bring up a remote host and measure the BIOS, OptROMS, SINIT, MLE,
kernel, boot parameters, initrd, etc.
We have this working in practice on some dedicated hosting providers.
There are some security caveats and vendor-specific nits, though.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography