On Sat, Aug 21, 2021 at 04:05:11PM +0200, Vincent Bernat wrote:
> ❦ 30 November 2016 20:11 GMT, Urquiza, Fabio:
> > We think that TPM support is a good addition to Debian because it can
> > increase
> > its adoption in environments where a more secure approach to the booting is
> > needed, by being able to securely measure if any component has been
> > tampered.
>
> It seems that Grub in Debian has now TPM support as there is a tpm.mod
> shipped with Grub. Manual here:
> https://www.gnu.org/software/grub/manual/grub/html_node/Measured-Boot.html
>
> The documentation suggests the module should be builtin. If not, it is a
> bit unknown what can happen. Maybe the tpm.mod itself can be tampered?
>
> Would it be possible to have the module builtin for GRUB UEFI (where
> the size does not matter)?
It already is, in bullseye:
grub2 (2.04-18) unstable; urgency=medium
[ Steve McIntyre ]
* Enable the shim_lock and tpm modules for i386-efi too. Ensure that
tpm is included in our EFI images.
[...]
-- Colin Watson <cjwat...@debian.org> Sun, 25 Apr 2021 16:20:17 +0100
Do we think that's enough to close this bug?
--
Colin Watson (he/him) [cjwat...@debian.org]
