On 9/11/2015 11:11 AM, Todd Griggins wrote: > > Instead we opted to use pluggable modules, specifically, bought two of > these: http://www.amazon.com/dp/B00U07T0UE Would certainly hope they > finished it and had it ready for public use! Should I contact the > vendor? What would I tell them? My guess is "SPICY BOMB" may not have > any idea what I'm talking about. This seems like a rather serious > security issue considering it didn't report any errors when taking > ownership, and setting up the NV areas.
It's not a security issue. Here's the rationale. In the usual case, the vendor, in this case Infineon, ships the TPM with NV and physical presence unlocked. This permits the OEM to provision the TPM without needing authorization for better manufacturing line performance. it also permits provisioning special "D bit" NV space that cannot be done on a locked TPM. Certificates might go there. Once the OEM is done provisioning, it locks NV. It also sets the PP attributes based on its firmware needs and locks them. In your case, you bypassed the OEM. You're doing the provisioning. So, you want the TPM in it's default, unlocked state. If you, the OEM, shipped to the end user in this state, then you (not Infineon) would have a security issue. ------------------------------------------------------------------------------ _______________________________________________ TrouSerS-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-users
