1 |
On Sun, Mar 29, 2015 at 8:32 PM, Walter Dnes <waltdnes@××××××××.org> wrote: |
2 |
> |
3 |
> Be careful what you wish for. I have my doubts that TPM chips would |
4 |
> boot linux with Microsoft offering "volume discounts" to OEMS. Call me |
5 |
> cynical. |
6 |
> |
7 |
|
8 |
TPM chips don't control what boots. They just accept the hash of the |
9 |
bootloader reported by the firmware and store it (and that is it as |
10 |
far as the OEM's contribution to the process). Linux supports TPM |
11 |
chips, as does trusted grub. I have no idea if gummiboot or any of |
12 |
the EFI solutions do (presumably direct to linux works) - you'd need a |
13 |
TPM-aware bootloader to take advantage of TPM-based full-disk |
14 |
encryption unless you want to be typing in a password when you boot. |
15 |
A TPM is still useful with password-based boots since it can enforce a |
16 |
maximum number of guesses before it destroys the key. However, the |
17 |
real magic is when you use a verified boot path so that your system |
18 |
just magically boots into linux if the boot path is not tampered with, |
19 |
and if not the hard drive is impossible to read (and you can do all |
20 |
this while keeping a copy of your disk key safely offline just in |
21 |
case). |
22 |
|
23 |
Remember, TPM isn't UEFI - it works differently and has been around in |
24 |
PCs a lot longer. |
25 |
|
26 |
-- |
27 |
Rich |