TPM
Trusted Platform Module
Does anyone actually use these? Are they supported by linux at all?
Any major differences between 1.6 and 2.0?
I was thinking of picking up one of these to play around with but if they only work for Enterprise shit and one piece of encryption software made by MS I am not sure if I should bother.
TPM
Aiden Wilson
Aaron Bennett
I can say for sure that coreboot supports them and linux utilizes them fkr entropy. Other than that, no clue user.
Justin Smith
Interesting, all I have found online is old articles from neckbeards ranting about drm.
Wyatt Harris
Im also interested
Bump
Xavier Myers
When they first started talking about this stuff early in the millennium, there was a lot of concern that that would be their main use case - Microsoft backing them as a sort of early form of what we now call secure boot didn't help matters. Of course given this hardware secure-boot stuff you can use it for evil (eg, that spat about Apple locking out Linux on macbooks) or for good (Purism uses it for their tamper-evident stuff to defend against "evil maid" attacks)
the other thing you can do is disk encryption. I believe you can set things up so that if someone takes out your encrypted disk and puts it in another machine, they won't be able to decrypt it even if they know your password, due to key storage on the TPM.
Jason Wright
A lot of current motherboards can emulate them using the PSP/ME and a tamper-resistant EEPROM. All Zen processors have an fTPM and it's reckon that intels have them too.
John Harris
tpm_luks allows you to store your LUKS encryption keys in it
Justin Watson
> Does anyone actually use these?
No.
> Are they supported by linux at all?
Yes.
> Any major differences between 1.6 and 2.0?
AFAIK less prone to a coldboot attack.
Colton Gray
Isn't it dangerous? Thief comes in, takes your PC and not just disks, boots it up - done.
Easton Wilson
You could futz around with TPM/TOTP and have the computer verify itself to you rather than the other way around.
Jonathan Sanchez
Psp?
Adam Torres
Interesting, I did not realize that LUKS is compatible with TPMs.
Jonathan Peterson
All business laptops have them. It's a standard feature.
Liam White
Platform Security Processor, AMD's management engine running on an ARM core that handles the ephemeral TME key, CRNG, checks µcode signatures etc.
Same thing as Intel's little botnet thing in all but name really.
Colton Young
I don't get the point of grabbing these for casual DIY consumer use. They're usually expensive and most consumer boards don't even support them. You can store encryption keys on them but whats the point? If someone steals your entire computer you're fucked because they get the TPM module too.
Wyatt Thompson
>They are usually expensive.
$20 is expensive?
Is this some thing where amd motherboards don't support them so certain anons insist they are shit, or do you just have no idea what you are talking about?
Wyatt Myers
Last time I looked they were more expensive and I could hardly find the right type of module from a reputable source. It's like nobody buys this shit.
Cooper Rogers
>Does anyone actually use these?
>No
Confirmed for not having a job where data sensitivity is a concern. I work IT at a public university, the TPM being enabled is required for Bitlocker to work (not sure what the Macs have). State law also mandates no data leaves the university, so I'm also involved in the removal and cataloging of pulled drives. They're then physically destroyed by a company specializing in physical destruction of hard drives.
Luis Nelson
Playstation portable
Levi Rodriguez
As far as we know, it does not have the same access and apparently does shut down (since the ARM core is also used to initialize the CPU) after control of the CPU is given to the OS (IF you actually disable it in the uEFI), and I find it believable, I highly doubt AMD would pay off official researches like Intel does.
Andrew Campbell
Where do you take the information from that most motherboards don't support them? Never seen one without made in the past 10 years, unless we are really talking like LGA 775 boards for OEM.
Zachary Torres
> the TPM being enabled is required for Bitlocker to work
Do you use Vista still?
Benjamin Rodriguez
> If someone steals your entire computer you're fucked because they get the TPM module too.
Answer this, TPM apologists.
Aaron Robinson
I'm going to butcher the explanation but you don't have to store your decryption key on the TPM. It can also be used as a sort of secondary verification where both your decryption key and the value stored on the TPM are necessary to decrypt the drive.
John Collins
> It can also be used as a sort of secondary verification where both your decryption key and the value stored on the TPM are necessary to decrypt the drive.
Well, I can understand 2FA.
Chase Turner
>They're then physically destroyed by a company specializing in physical destruction of hard drives
why not do that yourself? all you need is a drill. do you need some certification to destroy data?
Christopher Bell
Its corporate red tape bs. Possibly combined with onerous govt regulations.
Chase Morales
this shit is common in big organizations, and yeah some of its regulatory bureaucracy, but a lot of its just management ass-covering. Some auditor is eventually gonna come poking around looking for trouble (since fucking with you is literally his job), or there'll be some busybody who has it in for you or your department or who just wants to make a name for himself to get a promotion. and its an advantage to be able to say to him "no, really, it is destroyed. If you don't wanna take my word for it, here's the contract we have with the other company to destroy the data". That either shuts him down or at least makes it someone else's problem and not yours, since the rules of the game are (mostly) that if you contract with someone else to do something, you're allowed to assume they do what they said they'd do.
Anyone who's worked in a big IT department could probably rattle off a dozen examples of this same behavior, its everywhere.
Joshua Watson
The manuals state that you shouldn't use the module if you have your operating system running with the fTPM, doing so would cause shit to go wrong.
The TPM checks a few things about the PC like firmware checksums and hardware configs but only acts as a key binder/verifying device, not authenticator. It's for this reason why it's recommended that you pauze bitlocker when changing AM4 cpu's or update the firmware.
It's the operating system's responsibility to authenticate the user, it's the TPM responsibility that the encryption stays safe and doesn't get out unless it's sure the device isn't altered.
Jackson Morris
You still need to login into your Windows user
The benefit of TPM is that you can have a truly strong encryption key for your storage, while still having a more normal password for your user (e.g. a PIN), so that you won't have the hassle of entering a 48 character key every time you turn on your computer. If any aspect of the firmware or boot process is tampered with, the TPM will detect it and bitlocker will ask for the full recovery key. The TPM also makes the login process brute force-proof, so even a simple PIN will be virtually unbreakable.
Isaac Roberts
Can you do this with LUKS or is this only supported by bitlocker?
Hudson Lee
There are some ways to implement TPM features in LUKS, but they require some work and I have never tried it personally
Jonathan Anderson
Does bitlocker even work for versions of windows after 7?
Really makes you think.
Gavin Johnson
Yes, why do you ask?
Jackson Gonzalez
Anyone else have any suggestions for using a TPM in gnu/linux? Sounds like it's a barely documented mess that I might be able to get work if I spent a week figuring it out.