[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: TPM support with SATA drives
From: |
Laurent Dufréchou |
Subject: |
RE: TPM support with SATA drives |
Date: |
Fri, 18 Apr 2008 20:33:07 +0200 |
So, will grub2 will one day support TPM ? ;)
-----Message d'origine-----
De : address@hidden
[mailto:address@hidden De la part
de Julian Blake Kongslie
Envoyé : vendredi 18 avril 2008 20:21
À : The development of GRUB 2
Objet : Re: TPM support with SATA drives
On Fri, 2008-04-18 at 13:22 +0200, Robert Millan wrote:
> Hi Laurent,
>
> The problem with these TPM chips is that they have the hidden purpose of
> restricting you as user. Despite that you paid for the hardware and are
its
> owner, the chip will never give you its master key.
Sorry, but this message is confusing me. Having the TPM in my machine
act as a cryptographic proxy on my behalf is the entire point of the
TPM: if the software stack has access to the SRK then attackers would
prefer to attack dead swap space or temp files rather than the TPM
itself.
> The idea behind this is that you can be coerced into accepting that
someone
> else can spy on your computer (they call it "remote attestation"). When
> enough users accept this form of blackmail, it will become impossible to
> resist to it in practice.
And this is the really confusing part. How can someone else spy on my
computer because of my TPM? I can *voluntarily* enter into a remote
attestation system, but to do that I would need to tell my peers the
public key I will be using to sign the attestations; if I was so
inclined, I could choose any key that I like for this purpose, and
instruct the software on my machine to get the unencrypted PCRs from my
TPM, modify their values as I saw fit, and sign that configuration
instead.
Even if the software that runs the remote attestation is honest (say,
because I'm running some Windows-based scheme that I can't easily
change), I can still elect to boot into Linux, authenticate to the TPM
with the owner password, and ask it to perform whatever operations I
want with whatever PCR configuration I want.
> For these reasons, I'd like to encourage you to consider the ethical
> implications of using and supporting this technology, and look for
> alternatives that would satisfy whatever needs you had in it (I'd welcome
> some discussion about that, to see how GRUB can help).
--
-Julian Blake Kongslie
<address@hidden>
If this is a mailing list, please CC me on replies.
vim: set ft=text :
_______________________________________________
Grub-devel mailing list
address@hidden
http://lists.gnu.org/mailman/listinfo/grub-devel
Re: TPM support with SATA drives, Robert Millan, 2008/04/18