On 12/6/19 10:02 PM, John M. Harris Jr wrote:
On Friday, December 6, 2019 5:14:24 PM MST Kevin Kofler wrote:
> Marius Schwarz wrote:
>
>> "Figure out intersection with current work to use the TPM to allow
>> booting to GDM without entering the password."
>>
>> Means, if someone steals the device, he can boot a system.
> And conversely, if you move the hard disk to another computer, you can no
> longer read it. And if your motherboard breaks down, instant data loss.
>
> In addition, I do not trust the TPM or any other Treacherous Computing
> component.
>
> If you want to rely on a hardware key, it should at least be on a removable
> USB token (a keyfile on a plain mass-storage USB stick is enough!), not
> hard-wired into the computer like the TPM.
Agreed. What many people don't realize is that a TPM isn't some special
security device. It's essentially a specialized storage device, that only
stores keys, with a few extensions to use those keys. On many vendors, the TPM
includes a key that CANNOT BE REMOVED, which belongs to Microsoft or an OEM.
I don't see why TPM is seen in such a bad light, as it is just a
security tool that, in its current implementation, does not prevent
third-party software like Linux. It has a potential to do that, but,
like any other tool, can also be used beneficially.
Perhaps people don't have a problem with the TPM concept, but simply
mistrust black-box TPM implementations?
i am sorry if all this is obvious to everyone, but this is how I
understand TPM tech. I don't see a problem with the technology as
described here:
1) TPM is a secure key storage device, designed to release keys only
under very well specified condition, to prevent stealing of keys via
physical access/removal of components. For TPM to make sense, it has to
also secure the boot process, to prevent injection into the boot process
after the keys are released to the OS; the OS has to boot without
interruption all the way to the user authentication prompt.
2) TPM is supposed to store multiple keys, and allow adding new keys, as
well as revoke them. I don't know if the OEM key is exempt from
revocation on a typical TPM---I didn't think so but I could also see
that they would prevent revocation for the OEM key, to prevent
accidental revocation from bricking the system.
3) Multiple keys allow creating backup keys, preventing the data loss
scenario Kevin is worried about. Of course this assumes that the UX for
creating backup keys exists, and that people actually do that---but it's
possible in principle.