For the literally dozen of people who care about the intersection of TPM remote attestation, kexec, Windows, and Bitlocker: LinuxBoot can receive the BitLocker key from the remote attestation server, which is passed to the kexec'ed Windows boot loader via a UEFI ramdisk, so there is no clear-text on the disk, not even an EFI System Partition.

@th hang on a sec; 'kexec'ed windows boot loader' ?! htf are you kexecig a windows boot loader

@penguin42 kexec_load() takes a memory map of segments and doesn't care about the actual file format (although the kexec tool does, since it has to build that map). In this case I'm actually kexec'ing a special build of edk2 called UefiPayloadPkg that then loads the windows boot loader from a ramdisk rather than the real disk.


@th So that's linuxboot->kexec->UefiPayloadPkg->windows boot loader? 'fun'
If you're running bitlocker in windows, are any of those components actually updating the tpm?

· · Web · 0 · 0 · 0
Sign in to participate in the conversation

General purpose mastodon instance