TPM & disk crypto

Erik Tews erik at debian.franken.de
Fri Oct 6 17:37:27 EDT 2006 

Am Freitag, den 06.10.2006, 17:29 -0400 schrieb Thor Lancelot Simon:
> On Thu, Oct 05, 2006 at 11:51:49PM +0200, Erik Tews wrote:
> > Am Donnerstag, den 05.10.2006, 16:25 -0500 schrieb Travis H.:
> > > On 10/2/06, Erik Tews <erik at debian.franken.de> wrote:
> > > > Am Sonntag, den 01.10.2006, 23:42 -0500 schrieb Travis H.:
> > > > > Anyone have any information on how to develop TPM software?
> > > >                      http://tpm4java.datenzone.de/
> > > > Using this lib, you need less than 10 lines of java-code for doing some
> > > > simple tpm operations.
> > > 
> > > Interesting, but not what I meant.  I want to program the chip to verify
> > > that the BIOS, boot sector, root partition conform to *my* specification.
> > > 
> > You can do that (at least in theory).
> > 
> > First, you need a system with tpm. I assume you are running linux. Then
> > you boot your linux-kernel and an initrd using the trusted grub
> > bootloader. Your bios will report the checksum of trusted grub to the
> > tpm before giving control to your grub bootloader.
> 
> And the TPM knows that your BIOS has not lied about the checksum of grub
> how?

The TPM does not know that the BIOS did not lie about the checksum of
grub or any other bios component.

What you do is, you trust your TPM and your BIOS that they never lie to
you, because they are certified by the manufature of the system and the
tpm. (This is why it is called trusted computing)

So if you don't trust your hardware and your manufactor, trusted
computing is absolutely worthless for you. But if you trust a
manufactor, the manufactor trusts the tpms he has build and embedded in
some systems, and you don't trust a user that he did not boot a modified
version of your operating system, you can use these components to find
out if the user is lieing.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20061006/a18c7ff0/attachment.pgp>

More information about the cryptography mailing list