| 1 |
On Sun, Mar 29, 2015 at 8:32 PM, Walter Dnes <waltdnes@××××××××.org> wrote: |
| 2 |
> |
| 3 |
> Be careful what you wish for. I have my doubts that TPM chips would |
| 4 |
> boot linux with Microsoft offering "volume discounts" to OEMS. Call me |
| 5 |
> cynical. |
| 6 |
> |
| 7 |
|
| 8 |
TPM chips don't control what boots. They just accept the hash of the |
| 9 |
bootloader reported by the firmware and store it (and that is it as |
| 10 |
far as the OEM's contribution to the process). Linux supports TPM |
| 11 |
chips, as does trusted grub. I have no idea if gummiboot or any of |
| 12 |
the EFI solutions do (presumably direct to linux works) - you'd need a |
| 13 |
TPM-aware bootloader to take advantage of TPM-based full-disk |
| 14 |
encryption unless you want to be typing in a password when you boot. |
| 15 |
A TPM is still useful with password-based boots since it can enforce a |
| 16 |
maximum number of guesses before it destroys the key. However, the |
| 17 |
real magic is when you use a verified boot path so that your system |
| 18 |
just magically boots into linux if the boot path is not tampered with, |
| 19 |
and if not the hard drive is impossible to read (and you can do all |
| 20 |
this while keeping a copy of your disk key safely offline just in |
| 21 |
case). |
| 22 |
|
| 23 |
Remember, TPM isn't UEFI - it works differently and has been around in |
| 24 |
PCs a lot longer. |
| 25 |
|
| 26 |
-- |
| 27 |
Rich |
Archives