Trusted Boot in Fedora

Jon Ciesla limb at
Thu Jun 23 19:13:39 UTC 2011

> On Thu, Jun 23, 2011 at 7:30 PM, JB <jb.1234abcd at> wrote:
>> Miloslav Trmač <mitr <at>> writes:
>>> On Thu, Jun 23, 2011 at 4:21 PM, JB <jb.1234abcd <at>> wrote:
>>> ...
>>> > Will the TPM allow a third party remote access to the machine ?
>>> Absolutely not.
>> You are wrong here.
>> "...
>> Overview
>> ... It also includes capabilities such as remote attestation ..."
> "Remote attestation" doesn't mean "remote access" - after all, the TPM
> does not contain a network card and it cannot connect an Ethernet
> cable to the socket in the wall :)
> The TPM support for remote attestation amounts to "if the system was
> measured as expected, produce a signature to that effect, and produce
> a signature to other data the system has produced for this purpose"
> ("other data" being e.g. the result of an additional self-check of the
> sistem).  What TPM does is a purely local operation.  Whether and how
> this ends up on a remote system and whether and how is is used by the
> remote system, is a matter of pure software that doesn't need the TPM
> for anything else.
> TPM doesn't "allow" a third party remote access any more than a CPU
> that is strong enough to let you run ssh on it.

Exactly.  But with the network card, the process by which I can activate,
deactivate, control and monitor that device to allow or deny access is
well documented.  How will are those things done with TPM?  I want to know
that even if someone slips a TPM-exploiting backdoor into my system, I
know that it won't have an effect because cat /proc/foo/bar/tpm returns 0.

How does this work?


>     Mirek
> --
> devel mailing list
> devel at

in your fear, seek only peace
in your fear, seek only love

-d. bowie

More information about the devel mailing list