[syslinux] SYSLINUX PXE LOCALBOOT Bitlockers

Ian Bannerman ian at internals.io
Mon May 5 11:36:54 PDT 2014 

Threw in the wrong link for the TPM spec, apologies - http://www.trustedcomputinggroup.org/files/static_page_files/C2122862-1A4B-B294-D0289FD15408693D/TPM%20Rev%202.0%20Part%201%20-%20Architecture%2001.07-2014-03-13.pdf


--Ian
> From: ian at internals.io
> To: gene.cumm at gmail.com
> Date: Mon, 5 May 2014 13:04:36 -0500
> CC: syslinux at zytor.com; matthew.taylor at chevron.com
> Subject: Re: [syslinux] SYSLINUX PXE LOCALBOOT Bitlockers
> 
> That's a great question, actually, I should have remembered to mention that! You can control what factors are used for the TPM's integrity check to release the bitlocker key on boot. Depending on whether your on a BIOS or EFI machine, there are slight differences, but definitely controllable by group policy. http://technet.microsoft.com/en-us/library/ee706521(v=ws.10).aspx#BKMK_depopt3
> 
> I have not tried to disable whichever one of the PCRs prevents boot deviations, but it may very well be possible. You can find more documentation on the PCRs in the TPM spec: http://technet.microsoft.com/en-us/library/ee706521(v=ws.10).aspx#BKMK_depopt3
> 
> Bear in mind though that this would make it trivial to load malicious code before boot, defeating a key piece of BitLocker's protection. For example, anyone could pop Kon Boot into the machine and skate through login, something that would be blocked were this particular protection not disabled.
> 
> I hope that helps, good luck!--Ian
> 
> > Date: Fri, 2 May 2014 19:08:27 -0400
> > From: gene.cumm at gmail.com
> > To: ian at internals.io
> > CC: syslinux at zytor.com; matthew.taylor at chevron.com
> > Subject: Re: [syslinux] SYSLINUX PXE LOCALBOOT Bitlockers
> > 
> > On Tue, Apr 29, 2014 at 2:43 PM, Ian Bannerman <ian at internals.io> wrote:
> > > Any deviation from the expected boot process will prevent BitLocker from
> > > accessing the volume key in the TPM. One reason this behavior exists is to
> > > prevent malicious code from being loaded (such as via booting first to CD /
> > > USB / PXE, loading malware, and then continuing to boot to Windows). So
> > > what's happening here is the deviation from firmware -> PXE -> HDD is
> > > detected and the volume key is not released.
> > >
> > > There is no circumventing this behavior.
> > >
> > > --Ian
> > 
> > I started wondering if you could use a TPM for key management but
> > disable the system integrity check.
> > http://technet.microsoft.com/en-us/library/hh831507.aspx#BKMK_WhatIsBitLocker
> > seems the closest to saying no (though indirectly).
> > 
> > The wording of "On computers that have a Trusted Platform Module (TPM)
> > version 1.2 or 2.0, BitLocker uses the enhanced security capabilities"
> > doesn't say it's optional.
> > 
> > --
> > -Gene
> > 
> > A: Because it messes up the order in which people normally read text,
> > especially the archives of mailing lists.
> > Q: Why is Top-posting such a bad thing?
> > _______________________________________________
> > Syslinux mailing list
> > Submissions to Syslinux at zytor.com
> > Unsubscribe or set options at:
> > http://www.zytor.com/mailman/listinfo/syslinux
>  		 	   		  
> _______________________________________________
> Syslinux mailing list
> Submissions to Syslinux at zytor.com
> Unsubscribe or set options at:
> http://www.zytor.com/mailman/listinfo/syslinux

More information about the Syslinux mailing list