Announcement

Collapse
No announcement yet.

Intel Open-Sources New TPM2 Software Stack

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Intel Open-Sources New TPM2 Software Stack

    Phoronix: Intel Open-Sources New TPM2 Software Stack

    This week Intel opened up a newly-completed Trusted Platform Module 2.0 (TPM2) stack with support for Linux and Microsoft Windows...

    http://www.phoronix.com/scan.php?pag...en-Source-TPM2

  • #2
    I feel like asking. When they say "trusted", do they mean "trusted by Intel", or " trusted by the user"? Because if it's the former, then it is a misnomer...

    Comment


    • #3
      Originally posted by tildearrow View Post
      I feel like asking. When they say "trusted", do they mean "trusted by Intel", or " trusted by the user"? Because if it's the former, then it is a misnomer...
      Trusted by intel obviously. There is no way to avoid trusting them unless you design and manufacture your own hardware.

      Comment


      • #4
        Originally posted by tildearrow View Post
        I feel like asking. When they say "trusted", do they mean "trusted by Intel", or " trusted by the user"? Because if it's the former, then it is a misnomer...
        imo the most common case is "trusted by the IT department of your employer"...

        Comment


        • #5
          Originally posted by tildearrow View Post
          I feel like asking. When they say "trusted", do they mean "trusted by Intel", or " trusted by the user"? Because if it's the former, then it is a misnomer...

          Comment


          • #6
            I did not think I will see words Intel and trusted placed in the same sentence any time soon.

            Comment


            • #7
              "Used for full disk encryption" only by people who earnestly believe that their few-cents-TPM chip could encrypt/decrypt data at the I/O rate of modern NVMe storage. Less misguided people know that the CPU will need to know the symmetric encryption key basically all the time while the system is running, so it isn't any safer when it is also stored in the TPM.
              Ah, and then of course there are those who leave it to the manufacturer of their storage device to implement encryption, which, while technically of course possible, is a gamble on abilities and diligence of storage manufacturers one should seriously not get into.

              Comment


              • #8
                Originally posted by dwagner View Post
                "Used for full disk encryption" only by people who earnestly believe that their few-cents-TPM chip could encrypt/decrypt data at the I/O rate of modern NVMe storage. Less misguided people know that the CPU will need to know the symmetric encryption key basically all the time while the system is running, so it isn't any safer when it is also stored in the TPM.
                I think the idea is that the TPM stores they keys for full-disk encryption, and hands them to the CPU only if trusted software is running.

                Examples:

                https://github.com/shpedoikal/tpm-luks
                https://github.com/fox-it/linux-luks-tpm-boot

                Comment


                • #9
                  Originally posted by tildearrow View Post
                  I feel like asking. When they say "trusted", do they mean "trusted by Intel", or " trusted by the user"? Because if it's the former, then it is a misnomer...
                  There is a difference between "trusted" and "trustworthy". In this context, "trusted" really just means "high-risk", and implies that a certain standard of rigor goes into ensuring that it's worthy of somebody's trust.

                  Comment


                  • #10
                    Originally posted by stikonas View Post

                    Trusted by intel obviously. There is no way to avoid trusting them unless you design and manufacture your own hardware.
                    Most cheaper laptops/motherboards/desktop come without TPM, and you'll just have to enter an extra password at startup to secure the HD through luks or bitlocker.

                    It's important to not confuse TPM which is a separate chip with Intel ME/AMD PSP. TPMs are a convenience, and optional. They are necessary if you don't want to enter a password at startup but still boot from an encrypted drive, like for a server. You're trusting a TPM module about as much as you would trust a Yubi key.

                    Comment

                    Working...
                    X