1 |
On Sat, Nov 29, 2014 at 2:53 PM, Mick <michaelkintzios@×××××.com> wrote: |
2 |
> I'm looking to buy a new PC and while looking at FM2+ MoBos I saw ASUS offers |
3 |
> one with a TPM feature. It also sells it as a separate component it seems: |
4 |
|
5 |
I can't get that page to load, but I can't imagine that you could find |
6 |
a motherboard that DIDN'T have a TPM that has been made anytime in the |
7 |
last decade. |
8 |
|
9 |
It doesn't tend to get a lot of use in the Linux world, though the |
10 |
Chromebook would be a BIG exception there. In the corporate windows |
11 |
world it gets very heavy use for full-disk encryption, and I think |
12 |
Win7 supports this out of the box (though big companies tend to use |
13 |
3rd party software). |
14 |
|
15 |
Main uses for TPM include remote attestation, full-disk encryption |
16 |
(without the need to type a boot password), and secure credential |
17 |
storage only accessible via a trusted code path. |
18 |
|
19 |
The Linux kernel has support for TPM, but if you want to use many of |
20 |
the trusted boot features you need a bootloader that supports TPM. |
21 |
|
22 |
The main downside with TPM with something like Gentoo is that if you |
23 |
aren't careful you can make your keys inaccessible. I'd keep a copy |
24 |
of the keys somewhere safe if you plan to use it for something like |
25 |
full-disk encryption (and/or do regular backups). Otherwise if you |
26 |
incorrectly update grub you might find your drive completely |
27 |
inaccessible (if you're using a trusted boot path then you need to |
28 |
update the TPM when you update your boot path or the chip will no |
29 |
longer trust your grub/kernel/etc). The upside is that if you do it |
30 |
right you retain full control over the encryption and your system will |
31 |
be VERY hard to break into (without inside access - it is quite |
32 |
possible folks like the NSA have a backdoor, but you'll be very safe |
33 |
from more ordinary threats). |
34 |
|
35 |
-- |
36 |
Rich |