On Tue, Nov 20, 2018 at 09:17:59AM -0800, James Bottomley wrote: > OK, the TPM is supposed to provide attestation of the correct > environment on a device under someone else's control (the classic > example is laptop provided by a company to an employee). The device is > under the physical control of the entity you don't entirely trust so > the TPM is supposed to attest that they're running an approved OS ... > we have whole TCG specs for that situation. For me the classic scenario would be more like protecting the employee that you have given confidential data from 3rd party adversaries. If an employee that you get confidential data is in fact an adversary, you are screwed. Even if the device is untampered. Having less likely untampered device would still be for better direction against 3rd party adversaries but alone this does not really solve the puzzle. There are technologies like ARM TZ and Intel SGX to provide more secure host side. But if you have such technologies available you can use them to run the whole TPM and the problem is solved (at least TZ is used for this today and you could use SGX to do the same). /Jarkko
