On Tue, 2018-05-08 at 10:29 -0500, David R. Bild wrote: > On Tue, May 8, 2018 at 10:25 AM, James Bottomley > <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> wrote: > > > > > On Fri, May 04, 2018 at 02:56:25PM -0500, David R. Bild wrote: > > > > [...] > > > > In particular, it sets the credentials for the platform > > > > hierarchy. > > > > The platform hierarchy is essentially the "root" account of the > > > > TPM, so it's critical that those credentials be set before the > > > > TPM > > > > is exposed to user-space. (The platform credentials aren't > > > > persisted in the TPM and must be set by the platform on every > > > > boot.) If the driver registers the TPM before doing > > > > initialization, there's a chance that something else could > > > > access > > > > the TPM before the platform credentials get set. > > > > I don't see any reason to set an unreachable password for the > > platform > > hierarchy if the UEFI didn't. If the desire is to disable the > > platform > > hierarchy, then it should be disabled, not have a random password > > set. > > "Set random password and throw away the key" was my way of disabling > the platform hierarchy. Is there a better way of doing that? Well, yes, use TPM2_HierarchyControl to set phEnable to CLEAR. > > I'd also say this is probably the job of early boot based on > > policy. > > Agreed. And since this card has no "early boot", the driver/kernel > need to do it. Early boot means userspace. for a hot pluggable device, this would probably be something in udev if you follow the no-daemon model and the daemon could do it if you do follow the daemon model. James