Hi,
I'm currently investigating some details about TPM and how they work.
I know the functionality the chips provide, so my question is more in the sense,
if/how they can operate if one has a dual boot environment.
For example Microsoft states that Windows will automatically take "ownership" of the chip, which will mean that anything in the chip will be cleared?
(https://docs.microsoft.com/en-us/window ... e-overview)
So if I have my favorite Operating System installed which has ownership over the TPM and have stored keys for my disk encryption,
if I then later install Windows, will Windows then automatically clear the TPM and take ownership, leaving me with a encrypted partition for my favorite system I can no longer decrypt?
Anyone who has experience in this direction? Or maybe knows some good sources?
Also if it is possible to use the TPM cross Operating Systems.
Cheers,
Rhodez
TPM (Trusted Platform Module) - Multiple OS Any experience?
-
ggodw000
- Member
- Posts: 396
- Joined: Wed Nov 18, 2015 3:04 pm
- Location: San Jose San Francisco Bay Area
- Contact:
Re: TPM (Trusted Platform Module) - Multiple OS Any experien
I studied several years and despite small size, it is extremely complicated device and still had not understood it fully.
It logs the BIOS's various component's hash measurement in a daisy chained manner to establish root of trust from the system power on. And trust goes on until OS finishes booting. Meaning of any of the components measure and hashed changes, it raises flag.
There is part of it that O/S can use it to store pub/priv(sealed) key in the chip and use it to encrypt disk i.e. bitlocker. There are myriad of other applications.
So there is a storage area to store these assymetrical keys and registers to store hashes. Since device is small and not powerful, it only seems to provide seed from which other keys can be derived and use for various purpose.
It also providers function to generate random numbers.
It logs the BIOS's various component's hash measurement in a daisy chained manner to establish root of trust from the system power on. And trust goes on until OS finishes booting. Meaning of any of the components measure and hashed changes, it raises flag.
There is part of it that O/S can use it to store pub/priv(sealed) key in the chip and use it to encrypt disk i.e. bitlocker. There are myriad of other applications.
So there is a storage area to store these assymetrical keys and registers to store hashes. Since device is small and not powerful, it only seems to provide seed from which other keys can be derived and use for various purpose.
It also providers function to generate random numbers.
key takeaway after spending yrs on sw industry: big issue small because everyone jumps on it and fixes it. small issue is big since everyone ignores and it causes catastrophy later. #devilisinthedetails
Re: TPM (Trusted Platform Module) - Multiple OS Any experien
Thanks for the reply ggodw000.
What you have wrote are also my understanding of the chip.
Today I finally managed to "talk" with the chip from Linux with tpm2-tools.
I'm pretty sure that I managed to take "ownership" over the chip, and set some owner password and lockout password.
I don't know in how much detail you have examined it. As you say, it is extremely complicated.
But even if i try to set the disableClear attribute. Which I have understood should say that the chip cannot be cleared without a valid password.
I can still clear the entire chip from the "UEFI/BIOS"-settings without any form of validation.
Is it really true that I cannot possibly set a password or create a secret, which has to be present if a clear should happen in any way, also directly at the machines UEFI/BIOS-settings?
I just ask if someone should know it by chance?
Cheers Rhodez
What you have wrote are also my understanding of the chip.
Today I finally managed to "talk" with the chip from Linux with tpm2-tools.
I'm pretty sure that I managed to take "ownership" over the chip, and set some owner password and lockout password.
I don't know in how much detail you have examined it. As you say, it is extremely complicated.
But even if i try to set the disableClear attribute. Which I have understood should say that the chip cannot be cleared without a valid password.
I can still clear the entire chip from the "UEFI/BIOS"-settings without any form of validation.
Is it really true that I cannot possibly set a password or create a secret, which has to be present if a clear should happen in any way, also directly at the machines UEFI/BIOS-settings?
I just ask if someone should know it by chance?
Cheers Rhodez