A Perhaps related topic that I often find people asking is: "How do you
trust the TPM itself given today's global economy?". There is one school of
thought that regards the TPM as totally untrustworthy. Another thinks it's
trusted to some degree. The debate seems never ending without a clear
answer.
I am curious about what experts on this list think of this issue.
>
>
> Date: Fri, 14 Nov 2014 09:38:02 -0500
> From: Ken Goldman <[email protected]>
> Subject: Re: [TrouSerS-users] System boot integrity check with TPM
> To: [email protected]
> Message-ID: <[email protected]>
> Content-Type: text/plain; charset=windows-1252; format=flowed
>
> On 11/12/2014 8:43 PM, Luigi Semenzato wrote:
> >
> > Forgive my curiosity,
>
> Feel free to be curious. We're engineers!
>
> > but how would one use the PCR in this situation?
> > Just getting its value with TPM_PRCRead does not seem secure, because
> > the application would have to trust that the kernel is returning the
> actual
> > value stored in the TPM, and not making it up, which it might do
> > if it is compromised (by inserting code into the OS image).
>
> You are absolutely correct. A PCR read by itself is insufficient.
>
> Look at TPM_Quote, which provides an RSA digital signature over the PCR
> values.
>
> Of course, the next problem is trusting that the quote signing key is
> valid.
>
> Look at TPM_CertifyKey, which pushes the problem up one level, and
> TPM_ActivateIdentity, which proves that the quote signing key (or
> certifying key) was a TPM non-migratable key.
>
> It's rooted in the EK certificate, where the TPM manufacturer certifies
> that the part is an authentic TPM.
>
> Your out of band trust root is the TPM manufacturer's public key.
>
>
>
>
>
>
>
>
>
> ------------------------------
>
>
> ------------------------------------------------------------------------------
> Comprehensive Server Monitoring with Site24x7.
> Monitor 10 servers for $9/Month.
> Get alerted through email, SMS, voice calls or mobile push notifications.
> Take corrective actions from your mobile device.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
>
> ------------------------------
>
> _______________________________________________
> TrouSerS-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/trousers-users
>
>
> End of TrouSerS-users Digest, Vol 93, Issue 7
> *********************************************
>
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
