Re: [PATCH v3 2/2] usb: misc: xapea00x: perform platform initialization of TPM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 5/8/2018 11:36 AM, James Bottomley wrote:
On Tue, 2018-05-08 at 10:29 -0500, David R. Bild wrote:
On Tue, May 8, 2018 at 10:25 AM, James Bottomley


I don't see any reason to set an unreachable password for the
platform
hierarchy if the UEFI didn't.  If the desire is to disable the
platform
hierarchy, then it should be disabled, not have a random password
set.

"Set random password and throw away the key" was my way of disabling
the platform hierarchy.  Is there a better way of doing that?

Well, yes, use TPM2_HierarchyControl to set phEnable to CLEAR.

There is a huge difference between the two.

"Set a random password" is the recommended approach.  This just
prohibits using the platform authorization - a good idea.

phEnable CLEAR disables the hierarchy, preventing it from being used
at all.  A basic problem would be that the EK certificates could not be
read.

There are likely to be other issues, like not being able to do a field upgrade post-OS,




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux