grub-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A _good_ and valid use for TPM


From: phcoder
Subject: Re: A _good_ and valid use for TPM
Date: Sat, 21 Feb 2009 18:08:45 +0100
User-agent: Thunderbird 2.0.0.19 (X11/20090105)

First of all you can write anything in specifications. Real chips don't necessary follow specifications. It's even said that it's "optional". Secondly this certificate makes regenerating worthless. Companies coercing you into using they software may challenge you to use signed public key. Then you still have a choice to regenerate your key but it's simply equivalent to "but nobody's threatening your freedom: we still allow you to remove your data and not access it at all.". It's equivalent to just smashing your tpm.
Regards
Vladimir 'phcoder' Serbinenko
Alex Besogonov wrote:
On Sat, Feb 21, 2009 at 3:51 PM, Robert Millan <address@hidden> wrote:
 - An override button that's physically accessible from the chip can be
   used to disable "hostile mode" and make the TPM sign everything.  From
   that point physical access can be managed with traditional methods (e.g.
   locks).
But they didn't.
And actually, they did.
================================
New flexibility in EKs. In the 1.1b specification, endorsement keys
were fixed in the
chip at manufacture. This allowed a certificate to be provided by the
manufacturer for the
key. However, some privacy advocates are worried about the EK becoming
a nonchangeable
identifier (in spite of all the privacy controls around it, which
would make doing
this very difficult). ***As a result, the specification allows a
manufacturer to allow the key to
be removed by the end user and regenerated.*** Of course the
certificate at that point would
become worthless, and it could be very expensive for the end user to
get a new certificate.
================================
https://www.trustedcomputinggroup.org/specs/TSS/TSS_1_2_Errata_A-final.pdf


_______________________________________________
Grub-devel mailing list
address@hidden
http://lists.gnu.org/mailman/listinfo/grub-devel





reply via email to

[Prev in Thread] Current Thread [Next in Thread]