Re: TPM support with SATA drives

[Robert Millan]

On Fri, Apr 18, 2008 at 02:07:12PM +0200, Laurent Dufréchou wrote:
> Yeah I see what you mean., and I agree a lot. I got a TPM chip in my
> computer that I could use to encrypt my hard dsk but I will never use it as
> I don't have access to all the thing.
> In fact what i'm askig is for a special use case.
> My use case is that I provide an embedded computer running linux operating
> system, and I want to be sure that the all system that I can't remotly
> manage isn't corrupted to its task.
> In this case I'm in the case of the "Hostile party Bad Guy wanting to
> measure you" ;).
> I think TPM chip can only be used for that. Not for like they claim to give
> to classical user a trusted computer.
> I want to use it to trust MY computer used by another guy (that can be an
> attacker). (industry market, not consumer one)
> I think in this use case it is ehicaly correct as I try to measure and
> ensure my system is not corrupted. (Must be the only case where TPM chip are
> good at :) )

I believe you can accomplish that by booting the system from USB.  Just point
your /boot partition to a USB stick, then encrypt the hard drive.  Then use
the stick as a "key" that is never left to untrusted hands (or, at most, is
only copied from a master, known-untampered key).

This would allow you to have security without making yourself dependant on
such kind of nasty technology.

-- 
Robert Millan

<GPLv2> I know my rights; I want my phone call!
<DRM> What use is a phone call… if you are unable to speak?
(as seen on /.)