On Tue, May 8, 2018 at 10:25 AM, James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> wrote: > > > On Fri, May 04, 2018 at 02:56:25PM -0500, David R. Bild wrote: > [...] > > > In particular, it sets the credentials for the platform hierarchy. > > > The platform hierarchy is essentially the "root" account of the > > > TPM, so it's critical that those credentials be set before the TPM > > > is exposed to user-space. (The platform credentials aren't > > > persisted in the TPM and must be set by the platform on every > > > boot.) If the driver registers the TPM before doing > > > initialization, there's a chance that something else could access > > > the TPM before the platform credentials get set. > > I don't see any reason to set an unreachable password for the platform > hierarchy if the UEFI didn't. If the desire is to disable the platform > hierarchy, then it should be disabled, not have a random password set. "Set random password and throw away the key" was my way of disabling the platform hierarchy. Is there a better way of doing that? > I'd also say this is probably the job of early boot based on policy. Agreed. And since this card has no "early boot", the driver/kernel need to do it. Best, David -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
