On Wed, Jun 10, 2015 at 10:58:40AM -0400, Stefan Berger wrote:
On 06/10/2015 10:38 AM, Kevin O'Connor wrote:
Thanks. It does look much better to me. What's the difference between enabled and activated? Can you describe it or point me to a link?
So I'll ditch the physical presence part for now , ditch that bool patch and post the menu patch on top of the cleanups.
Here the link to the documentation about the TPM 1.2 states:
http://www.trustedcomputinggroup.org/resources/tpm_main_specification
Access document Part 1 - Design Principles. Section 9.4 and subsections explain the different states of the TPM 1.2.
From the spec 9.4.1:
"A disabled TPM is not able to execute commands that use the resources of a TPM. While some commands are available (SHA-1 for example) the TPM is not able to load keys and perform TPM_Seal and other such operations. These restrictions are the same as for an inactive TPM. The difference between inactive and disabled is that a disabled TPM is unable to execute the TPM_TakeOwnership command. A disabled TPM that has a TPM Owner is not able to execute normal TPM commands."
From the spec 9.4.2:
"A deactivated TPM is not able to execute commands that use TPM resources. A major difference between deactivated and disabled is that a deactivated TPM CAN execute the TPM_TakeOwnership command. [...]"
Thanks. Unfortunately I'm still confused.
The above seems to say that the only difference between disabled and deactivated is that one can't take ownership of a disabled TPM. But, if that's the case, when a tpm is active, why does the menu provide for both "Deactivate the TPM" and "Prevent installation of an owner"? (And, why would anyone want to take "ownership" of a TPM that is disabled/deactivated anyway?)
-Kevin