Grub 2 is a newer version of the original Grub and Trusted Grub 2 stems from Grub 2. It is used to startup Linux from encrypted disks using the Trusted Platform Module (TPM). The TPM is used to detect changes to the computer hardware and boot software. An unauthorized change will be detected and the computer will not startup (protecting the data on the encrypted disk).
We tinkered around with Trusted Grub 2 and the TPM and this is what we have working today:
- Password authentication (the user must enter a password before the computer starts up).
- Detection of (unauthorized) modification of the BIOS, disk partitions, boot loader, kernel etc.
- Hard disk platform binding (the hard disk will not work in another computer preventing Evil Maid attacks).
- Key escrow and recovery.
- Full Disk Encryption using Linux standard dm-crypt with AES-NI support (when your CPU supports AES-NI there is virtually no performance loss).
Trusted Grub 2 boot screen |
User authentication (all OK) |
Error during boot (TPM detected breach) and recovery |
All is working now on the client side. We are looking into enterprise class key management but we lack the resources for that now. Please standby for more progress for this.