1 |
On Saturday 29 Nov 2014 20:23:51 Rich Freeman wrote: |
2 |
> On Sat, Nov 29, 2014 at 2:53 PM, Mick <michaelkintzios@×××××.com> wrote: |
3 |
> > I'm looking to buy a new PC and while looking at FM2+ MoBos I saw ASUS |
4 |
> > offers |
5 |
> |
6 |
> > one with a TPM feature. It also sells it as a separate component it |
7 |
seems: |
8 |
> I can't get that page to load, but I can't imagine that you could find |
9 |
> a motherboard that DIDN'T have a TPM that has been made anytime in the |
10 |
> last decade. |
11 |
> |
12 |
> It doesn't tend to get a lot of use in the Linux world, though the |
13 |
> Chromebook would be a BIG exception there. In the corporate windows |
14 |
> world it gets very heavy use for full-disk encryption, and I think |
15 |
> Win7 supports this out of the box (though big companies tend to use |
16 |
> 3rd party software). |
17 |
> |
18 |
> Main uses for TPM include remote attestation, full-disk encryption |
19 |
> (without the need to type a boot password), and secure credential |
20 |
> storage only accessible via a trusted code path. |
21 |
> |
22 |
> The Linux kernel has support for TPM, but if you want to use many of |
23 |
> the trusted boot features you need a bootloader that supports TPM. |
24 |
> |
25 |
> The main downside with TPM with something like Gentoo is that if you |
26 |
> aren't careful you can make your keys inaccessible. I'd keep a copy |
27 |
> of the keys somewhere safe if you plan to use it for something like |
28 |
> full-disk encryption (and/or do regular backups). Otherwise if you |
29 |
> incorrectly update grub you might find your drive completely |
30 |
> inaccessible (if you're using a trusted boot path then you need to |
31 |
> update the TPM when you update your boot path or the chip will no |
32 |
> longer trust your grub/kernel/etc). The upside is that if you do it |
33 |
> right you retain full control over the encryption and your system will |
34 |
> be VERY hard to break into (without inside access - it is quite |
35 |
> possible folks like the NSA have a backdoor, but you'll be very safe |
36 |
> from more ordinary threats). |
37 |
|
38 |
|
39 |
Thanks Rich, it seems not all modern MoBos have it. This doesn't: |
40 |
|
41 |
http://www.asus.com/uk/Motherboards/A88XMA/specifications/ |
42 |
|
43 |
|
44 |
While this does: |
45 |
|
46 |
http://www.asus.com/uk/Motherboards/A88XGAMER/specifications/ |
47 |
|
48 |
|
49 |
Besides the complexity of it all and the risk of errors, it's the remote |
50 |
attestation part that worries me a bit. I mean this is not MSWindows, so the |
51 |
only entity I would expect to attest what I'm running on my machine is me. |
52 |
Well, fair enough, portage checks the hashes of the downloaded source files, |
53 |
but I would not want anyone to remotely check anything on my PC. |
54 |
|
55 |
If I enable this TPM thing, do I automatically open ports at pre/post-boot |
56 |
time giving access to my machine? Or is remote attestation something I have a |
57 |
say over? |
58 |
|
59 |
Also, what happens if the TPM chip, or the whole MoBo blows up? Will I ever |
60 |
be able to access my data using another PC? |
61 |
|
62 |
-- |
63 |
Regards, |
64 |
Mick |