|
On 12/6/19 10:02 PM, John M. Harris Jr
wrote:
On Friday, December 6, 2019 5:14:24 PM MST Kevin Kofler wrote:Marius Schwarz wrote:"Figure out intersection with current work to use the TPM to allow booting to GDM without entering the password." Means, if someone steals the device, he can boot a system.And conversely, if you move the hard disk to another computer, you can no longer read it. And if your motherboard breaks down, instant data loss. In addition, I do not trust the TPM or any other Treacherous Computing component. If you want to rely on a hardware key, it should at least be on a removable USB token (a keyfile on a plain mass-storage USB stick is enough!), not hard-wired into the computer like the TPM.Agreed. What many people don't realize is that a TPM isn't some special security device. It's essentially a specialized storage device, that only stores keys, with a few extensions to use those keys. On many vendors, the TPM includes a key that CANNOT BE REMOVED, which belongs to Microsoft or an OEM. I don't see why TPM is seen in such a bad light, as it is just a security tool that, in its current implementation, does not prevent third-party software like Linux. It has a potential to do that, but, like any other tool, can also be used beneficially. Perhaps people don't have a problem with the TPM concept, but
simply mistrust black-box TPM implementations? i am sorry if all this is obvious to everyone, but this is how I
understand TPM tech. I don't see a problem with the technology as
described here: 1) TPM is a secure key storage device, designed to release keys
only under very well specified condition, to prevent stealing of
keys via physical access/removal of components. For TPM to make
sense, it has to also secure the boot process, to prevent
injection into the boot process after the keys are released to the
OS; the OS has to boot without interruption all the way to the
user authentication prompt. 2) TPM is supposed to store multiple keys, and allow adding new keys, as well as revoke them. I don't know if the OEM key is exempt from revocation on a typical TPM---I didn't think so but I could also see that they would prevent revocation for the OEM key, to prevent accidental revocation from bricking the system. 3) Multiple keys allow creating backup keys, preventing the data
loss scenario Kevin is worried about. Of course this assumes that
the UX for creating backup keys exists, and that people actually
do that---but it's possible in principle. |
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
