Re: A _good_ and valid use for TPM

[Alex Besogonov]

>First of all your system is still totally vulnerable to emanation and
>power analysis or hw tampering.
Yes, but that's way too hard.

>By reflashing bios one can bypass all
>tpm protections (don't say it's difficult because it's closed source and
>so on. Look at all closed source obfuscations/pseudo-protections that
>get cracked every day)
That's possible, but again I consider this not critical. BIOS itself
is checksummed and checked by the root of trust.

>Personally if tpm support is merged into mainline grub2 I'll stop using
>it.
Why?

>However what you request doesn't need tpm. Authenticity of modules,
>configuration files and so on can be verified by one of 4 methods:
>1) internal signatures
>2) file in signed gpg container
>3) detached signatures
>4) signed hash file
Won't work.

For example, attacker can run everything inside a hypervisor and then
just dump memory and extract decryption keys. You have no reliable
ways to detect hypervisor from inside the running OS. You can pile
layers upon layers of integrity checks, but they are useless if
hardware itself is not trusted.  TPM allows me to establish this
trust.

Actually, I can probably even formally prove this assumption.

>First advantage is that you can override it manually supplying grub password
Administrator can manually override TPM by supplying the decryption
key directly instead of fetching them from my key server.

[skipped because this scheme just won't work]

>I personally would be interested in implementing security features in
>grub2 as long as tpm stays away
Then that's a religion, not engineering.

PS: please, can you CC me when you answer my posts?