Fedora reexamines "trusted boot"

Posted Jul 7, 2011 17:34 UTC (Thu) by farnz (subscriber, #17727)
In reply to: Fedora reexamines "trusted boot" by nix
Parent article: Fedora reexamines "trusted boot"

I've used the unknown private key mode - the point is to provide me with a way to confirm, beyond all doubt, that the accesses I'm seeing are coming from my trusted hardware, running my trusted OS. Change the OS, or change the hardware, and you need reauthorising with a new key to get on the network; similarly, you can use the hidden private key for encryption of your disk's AES key, which is also stored offline somewhere physically secure. You can thus get the key out again when the TPM fails (and recover your data), it's just hassle typing it in from your laminated printouts. In the meantime, the TPM lets you forget that there is such a key - the hardware knows what it is and ensures you always run a known-good OS.

The evil in TPM is nothing to do with the technical capabilities of the chip - they're fairly innocuous, if tricky to use well; the danger is when the TPM chip is used to store a private key that the user did not ask it to generate; in this situation, the holder of the public key has a path all the way to the machine that bypasses the user's wishes. If the user generates the key and hands the "public" section to the third party, all is well - nothing stops the user lying to the third party and giving them a public key not generated by a TPM.