On Sun, Mar 29, 2015 at 8:32 PM, Walter Dnes <waltd...@waltdnes.org> wrote: > > Be careful what you wish for. I have my doubts that TPM chips would > boot linux with Microsoft offering "volume discounts" to OEMS. Call me > cynical. >
TPM chips don't control what boots. They just accept the hash of the bootloader reported by the firmware and store it (and that is it as far as the OEM's contribution to the process). Linux supports TPM chips, as does trusted grub. I have no idea if gummiboot or any of the EFI solutions do (presumably direct to linux works) - you'd need a TPM-aware bootloader to take advantage of TPM-based full-disk encryption unless you want to be typing in a password when you boot. A TPM is still useful with password-based boots since it can enforce a maximum number of guesses before it destroys the key. However, the real magic is when you use a verified boot path so that your system just magically boots into linux if the boot path is not tampered with, and if not the hard drive is impossible to read (and you can do all this while keeping a copy of your disk key safely offline just in case). Remember, TPM isn't UEFI - it works differently and has been around in PCs a lot longer. -- Rich
