Trusted Boot in Fedora
Jon Ciesla
limb at jcomserv.net
Thu Jun 23 19:13:39 UTC 2011
> On Thu, Jun 23, 2011 at 7:30 PM, JB <jb.1234abcd at gmail.com> wrote:
>> Miloslav TrmaÄ <mitr <at> volny.cz> writes:
>>
>>>
>>> On Thu, Jun 23, 2011 at 4:21 PM, JB <jb.1234abcd <at> gmail.com> wrote:
>>> ...
>>> > Will the TPM allow a third party remote access to the machine ?
>>> Absolutely not.
>>
>> You are wrong here.
>>
>> http://en.wikipedia.org/wiki/Trusted_Platform_Module
>> "...
>> Overview
>> ... It also includes capabilities such as remote attestation ..."
>
> "Remote attestation" doesn't mean "remote access" - after all, the TPM
> does not contain a network card and it cannot connect an Ethernet
> cable to the socket in the wall :)
>
> The TPM support for remote attestation amounts to "if the system was
> measured as expected, produce a signature to that effect, and produce
> a signature to other data the system has produced for this purpose"
> ("other data" being e.g. the result of an additional self-check of the
> sistem). What TPM does is a purely local operation. Whether and how
> this ends up on a remote system and whether and how is is used by the
> remote system, is a matter of pure software that doesn't need the TPM
> for anything else.
>
> TPM doesn't "allow" a third party remote access any more than a CPU
> that is strong enough to let you run ssh on it.
Exactly. But with the network card, the process by which I can activate,
deactivate, control and monitor that device to allow or deny access is
well documented. How will are those things done with TPM? I want to know
that even if someone slips a TPM-exploiting backdoor into my system, I
know that it won't have an effect because cat /proc/foo/bar/tpm returns 0.
How does this work?
-J
> Mirek
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
>
--
in your fear, seek only peace
in your fear, seek only love
-d. bowie
More information about the devel
mailing list