On Sat, Feb 21, 2009 at 3:51 PM, Robert Millan <r...@aybabtu.com> wrote: > I don't agree with this analogy. Unlike cryptography, TPMs have been designed > from the ground up to serve an evil purpose. They *could* have designed > them with good intent, for example either of these could apply: > - Buyer gets a printed copy of the TPM's private key when they buy a board. Private part of the endorsement key _never_ leaves the device (if manufacturer uses the recommended TPM_CreateEndorsementKeyPair method). Even device manufacturer doesn't know it. Public key is then signed by manufacturer's certificate. This ensures that the private key can't be compromised. Besides, you can _disable_ endorsement key (TPM_DisablePubekRead) to protect your privacy.
TPM also has a notion of "ownership", and it supports ownership change (which requires physical presence of operator). > - An override button that's physically accessible from the chip can be > used to disable "hostile mode" and make the TPM sign everything. From > that point physical access can be managed with traditional methods (e.g. > locks). That's not a very good idea. _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org http://lists.gnu.org/mailman/listinfo/grub-devel