| 1 |
On Saturday 29 Nov 2014 20:23:51 Rich Freeman wrote: |
| 2 |
> On Sat, Nov 29, 2014 at 2:53 PM, Mick <michaelkintzios@×××××.com> wrote: |
| 3 |
> > I'm looking to buy a new PC and while looking at FM2+ MoBos I saw ASUS |
| 4 |
> > offers |
| 5 |
> |
| 6 |
> > one with a TPM feature. It also sells it as a separate component it |
| 7 |
seems: |
| 8 |
> I can't get that page to load, but I can't imagine that you could find |
| 9 |
> a motherboard that DIDN'T have a TPM that has been made anytime in the |
| 10 |
> last decade. |
| 11 |
> |
| 12 |
> It doesn't tend to get a lot of use in the Linux world, though the |
| 13 |
> Chromebook would be a BIG exception there. In the corporate windows |
| 14 |
> world it gets very heavy use for full-disk encryption, and I think |
| 15 |
> Win7 supports this out of the box (though big companies tend to use |
| 16 |
> 3rd party software). |
| 17 |
> |
| 18 |
> Main uses for TPM include remote attestation, full-disk encryption |
| 19 |
> (without the need to type a boot password), and secure credential |
| 20 |
> storage only accessible via a trusted code path. |
| 21 |
> |
| 22 |
> The Linux kernel has support for TPM, but if you want to use many of |
| 23 |
> the trusted boot features you need a bootloader that supports TPM. |
| 24 |
> |
| 25 |
> The main downside with TPM with something like Gentoo is that if you |
| 26 |
> aren't careful you can make your keys inaccessible. I'd keep a copy |
| 27 |
> of the keys somewhere safe if you plan to use it for something like |
| 28 |
> full-disk encryption (and/or do regular backups). Otherwise if you |
| 29 |
> incorrectly update grub you might find your drive completely |
| 30 |
> inaccessible (if you're using a trusted boot path then you need to |
| 31 |
> update the TPM when you update your boot path or the chip will no |
| 32 |
> longer trust your grub/kernel/etc). The upside is that if you do it |
| 33 |
> right you retain full control over the encryption and your system will |
| 34 |
> be VERY hard to break into (without inside access - it is quite |
| 35 |
> possible folks like the NSA have a backdoor, but you'll be very safe |
| 36 |
> from more ordinary threats). |
| 37 |
|
| 38 |
|
| 39 |
Thanks Rich, it seems not all modern MoBos have it. This doesn't: |
| 40 |
|
| 41 |
http://www.asus.com/uk/Motherboards/A88XMA/specifications/ |
| 42 |
|
| 43 |
|
| 44 |
While this does: |
| 45 |
|
| 46 |
http://www.asus.com/uk/Motherboards/A88XGAMER/specifications/ |
| 47 |
|
| 48 |
|
| 49 |
Besides the complexity of it all and the risk of errors, it's the remote |
| 50 |
attestation part that worries me a bit. I mean this is not MSWindows, so the |
| 51 |
only entity I would expect to attest what I'm running on my machine is me. |
| 52 |
Well, fair enough, portage checks the hashes of the downloaded source files, |
| 53 |
but I would not want anyone to remotely check anything on my PC. |
| 54 |
|
| 55 |
If I enable this TPM thing, do I automatically open ports at pre/post-boot |
| 56 |
time giving access to my machine? Or is remote attestation something I have a |
| 57 |
say over? |
| 58 |
|
| 59 |
Also, what happens if the TPM chip, or the whole MoBo blows up? Will I ever |
| 60 |
be able to access my data using another PC? |
| 61 |
|
| 62 |
-- |
| 63 |
Regards, |
| 64 |
Mick |
Archives