Tim writes: > I reckon the default thought of most people who're suddenly faced with > a computer failing a security test is not going to be that something > has changed on them without authority, but that something has gone > wrong. They're going to try and reset something, rather than work out > if they've been compromised. Indeed. Pragmatically speaking, I don't think they're wrong, do you? Patrick writes: > I think much depends on what the TPM is used for. Certainly if the > user takes care not to subvert the intention, it can reasonably be > used to ensure that only trusted software is run. "Pragmatically speaking ..." ;-) Seriously, I think TPM mostly makes sense with VMs. People who write programs are generally going to be very unhappy with the amount of kissing up to the TPM they have to do. Like, on Mac every time LLVM releases a new version of the debugger I have to go through the self-signing dance. So far I have been satisfied with the results every time (there really are new features or performance improvements), but it's infrequent enough that I have no memory of the procedure, let alone muscle memory. > OTOH, I think one application of TPM (at least when originally > proposed) was to prevent the user from bypassing DRM, in which case > the trust goes in the other direction and the situation is > different. Yeah, there was a *lot* of angst about potential DRM applications at the time. I'm willing to bet it's possible to distinguish a hardware TPM from a software TPM for that application, though. I didn't look hard enough to see if the Xen folk had proposed a protocol to get a token from the hardware TPM to vouch for a VM in that case. Steve _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure