Re: A _good_ and valid use for TPM

[Alex Besogonov]

On Wed, Feb 18, 2009 at 11:05 PM, Jan Alsenz <address@hidden> wrote:
> I've recently started porting TrustedGRUB (
> http://sourceforge.net/projects/trustedgrub ) to GRUB2.
> I didn't get too far as I don't have too much time right now, but I managed to
> complete the MBR bootloader.
Great! MBR is the most scary part :)

> I agree with you on the usefulness of a TPM for disk encryption and have a
> similar scheme planned.
> Regardless of the outcome of the discussion on the mailing list I would be
> interested in a "trusted" GRUB2 version. Maybe we could join forces?
Absolutely. I just hate doing work that won't appear in the mainline version :(

> BTW, the "manufacturer key" everyone is talking about is usually referred to 
> as
> "endorsement key", which is generated during production (and whose private 
> part
> is considered possibly in the possession of the manufacturer). I heard, that
> some newer TPM versions support reinitializing this key, but I'm not sure of
> that.
Uhm... TPM_CreateEndorsementKeyPair can be used to create the
endorsement key pair, and the spec also says that TPM chip _must_ ship
with empty endorsement key. It also can later be changed.

> And you do loose the ability to do remote attestation with "official"
> entities, if you do it.
Well, I don't care about that. And in any case, no-one uses TPM for
'official' purposes.