Presented by

  • Matthew Garrett

    Matthew Garrett
    @mjg59

    Matthew is a security developer at Google, helping secure Linux systems used by developers. He has worked on a range of Linux-related topics, specialising on low-level integration with the firmware and boot security.

Abstract

Systems with a Trusted Platform Module generate a cryptographically verifiable event log of every component of the boot process. They can then provide a signed quote of this log in order to prove to a remote site that they booted the expected software. In the early 2000s we were concerned about that resulting in websites that would refuse to grant you access unless you were running an unmodified proprietary operating system, but for various reasons that turned out to not be a problem in the real world. Some years later, how can we use this attestation data for the power of good? This presentation will describe the functionality of TPMs and how the event log is generated, and describe techniques for making use of TPMs to protect access to network resources, solve the problem of trusting SSH host keys in enterprise environments and make it easier for people to recover their systems while on the road. It will include demonstrations of using newly released open source software to build novel attestation solutions for protecting end users without giving up privacy or control.