Updating Linux with TUX: Trust Update for Linux Kernel

Explore a conference talk on TUX (Trust Update for Linux Kernel), a proposed solution to maintain up-to-date integrity of the pre-boot environment in Linux systems. Learn about the challenges posed by frequent security updates and how TUX addresses them by consolidating kernel repositories with Intel's Open CIT. Discover how TUX deploys kernels with updated integrity values as signatures and implements a secure bootloader for integrity verification during boot. Gain insights into the architecture of TUX, including its Integrity Manager, kernel update process, and remote attestation capabilities. Understand the concept of Trusted Secure boot (TS-Boot) and its integration with UEFI secure boot, Shim, and Cores Grub. Examine the use of TPM measurements and PCR-Verification in maintaining system trust. Watch a demo of TUX in action and engage in a discussion on the importance of managing integrity changes alongside system updates.

Intro
Intel Trusted Execution Technology (TXT)
Open Cloud Integrity Technology (CIT) Intel's remote attestation solution
UEFI secure boot UEFI BIOS's Verified boot component
Threats!
Goals! To maintain integrity properly
Trusted Platform Module (TPM)
Shim and Grub Shim
Assumptions
TUX Architecture
Integrity Manager
Kernel update using TUX
Remote attestation with TUX
Trusted Secure boot (TS-Boot) Combination of UEFI secure boot, Shim, and Cores Grub
PCR-Verification
TPM measurements
Experiment
Demo
Discussion
Conclusion Integrity changes when update is conducted and thus it should be property managed along with updates