On Saturday 29 Nov 2014 20:23:51 Rich Freeman wrote: > On Sat, Nov 29, 2014 at 2:53 PM, Mick <michaelkintz...@gmail.com> wrote: > > I'm looking to buy a new PC and while looking at FM2+ MoBos I saw ASUS > > offers > > > one with a TPM feature. It also sells it as a separate component it seems: > I can't get that page to load, but I can't imagine that you could find > a motherboard that DIDN'T have a TPM that has been made anytime in the > last decade. > > It doesn't tend to get a lot of use in the Linux world, though the > Chromebook would be a BIG exception there. In the corporate windows > world it gets very heavy use for full-disk encryption, and I think > Win7 supports this out of the box (though big companies tend to use > 3rd party software). > > Main uses for TPM include remote attestation, full-disk encryption > (without the need to type a boot password), and secure credential > storage only accessible via a trusted code path. > > The Linux kernel has support for TPM, but if you want to use many of > the trusted boot features you need a bootloader that supports TPM. > > The main downside with TPM with something like Gentoo is that if you > aren't careful you can make your keys inaccessible. I'd keep a copy > of the keys somewhere safe if you plan to use it for something like > full-disk encryption (and/or do regular backups). Otherwise if you > incorrectly update grub you might find your drive completely > inaccessible (if you're using a trusted boot path then you need to > update the TPM when you update your boot path or the chip will no > longer trust your grub/kernel/etc). The upside is that if you do it > right you retain full control over the encryption and your system will > be VERY hard to break into (without inside access - it is quite > possible folks like the NSA have a backdoor, but you'll be very safe > from more ordinary threats).
Thanks Rich, it seems not all modern MoBos have it. This doesn't: http://www.asus.com/uk/Motherboards/A88XMA/specifications/ While this does: http://www.asus.com/uk/Motherboards/A88XGAMER/specifications/ Besides the complexity of it all and the risk of errors, it's the remote attestation part that worries me a bit. I mean this is not MSWindows, so the only entity I would expect to attest what I'm running on my machine is me. Well, fair enough, portage checks the hashes of the downloaded source files, but I would not want anyone to remotely check anything on my PC. If I enable this TPM thing, do I automatically open ports at pre/post-boot time giving access to my machine? Or is remote attestation something I have a say over? Also, what happens if the TPM chip, or the whole MoBo blows up? Will I ever be able to access my data using another PC? -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
