On Wed, Jun 10, 2015 at 10:58:40AM -0400, Stefan Berger wrote: > On 06/10/2015 10:38 AM, Kevin O'Connor wrote: > >Thanks. It does look much better to me. What's the difference > >between enabled and activated? Can you describe it or point me to a > >link? > > So I'll ditch the physical presence part for now , ditch that bool patch and > post the menu patch on top of the cleanups. > > Here the link to the documentation about the TPM 1.2 states: > > http://www.trustedcomputinggroup.org/resources/tpm_main_specification > > Access document Part 1 - Design Principles. Section 9.4 and subsections > explain the different states of the TPM 1.2. > > From the spec 9.4.1: > > "A disabled TPM is not able to execute commands that use the > resources of a TPM. While some commands are available (SHA-1 for > example) the TPM is not able to load keys and perform TPM_Seal and > other such operations. These restrictions are the same as for an > inactive TPM. The difference between inactive and disabled is that a > disabled TPM is unable to execute the TPM_TakeOwnership command. A > disabled TPM that has a TPM Owner is not able to execute normal TPM > commands." > > From the spec 9.4.2: > > "A deactivated TPM is not able to execute commands that use TPM > resources. A major difference between deactivated and disabled is > that a deactivated TPM CAN execute the TPM_TakeOwnership > command. [...]"
Thanks. Unfortunately I'm still confused. The above seems to say that the only difference between disabled and deactivated is that one can't take ownership of a disabled TPM. But, if that's the case, when a tpm is active, why does the menu provide for both "Deactivate the TPM" and "Prevent installation of an owner"? (And, why would anyone want to take "ownership" of a TPM that is disabled/deactivated anyway?) -Kevin _______________________________________________ SeaBIOS mailing list [email protected] http://www.seabios.org/mailman/listinfo/seabios
