On 5/8/2018 11:36 AM, James Bottomley wrote:
On Tue, 2018-05-08 at 10:29 -0500, David R. Bild wrote:
On Tue, May 8, 2018 at 10:25 AM, James Bottomley
I don't see any reason to set an unreachable password for the
platform
hierarchy if the UEFI didn't. If the desire is to disable the
platform
hierarchy, then it should be disabled, not have a random password
set.
"Set random password and throw away the key" was my way of disabling
the platform hierarchy. Is there a better way of doing that?
Well, yes, use TPM2_HierarchyControl to set phEnable to CLEAR.
There is a huge difference between the two.
"Set a random password" is the recommended approach. This just
prohibits using the platform authorization - a good idea.
phEnable CLEAR disables the hierarchy, preventing it from being used
at all. A basic problem would be that the EK certificates could not be
read.
There are likely to be other issues, like not being able to do a field
upgrade post-OS,
