On Tue, Aug 26, 2014 at 10:42:31AM -0400, Stefan Berger wrote:
As we discussed
in the past, the main concern I have is the addition
of the TPM boot menu. The problem with the menu, is that I suspect
the number of people who will find utility in it is extremely small.
(Most people wont even know what a TPM is.) However, many more users
are likely to see the prompt, click through it, and then get very
confused with the available options and the implications of choosing
them. So, I think it is a poor trade off of complexity for gain.
Here's the justification for the menu: A TPM can have an owner who
identifies himself via owner password. In the case that the owner forgets
the password, there is no way for the owner to give up ownership of the TPM
unless there is a BIOS menu that allows him to give up ownership under
physical presence (1). Physical presence is only assumed while the BIOS is
active and a user for example pressed a key when the machine initialized to
indicate physical presence. (I would think pressing F11 to enter the BIOS
menu would be enough for indicate physical presence). I don't know of
another way of doing this.
If I understand the intent of the above, the goal is to prevent
malicious software on the guest from reprogramming the TPM without the
users' knowledge. (The malicious software sees that the TPM is
password locked, so it unlocks the TPM, clears the password, and
If this is the intent, can't we just pass a flag (via fw_cfg) from
QEMU command line to SeaBIOS to force a clear? That is, the guest
software can't manipulate the QEMU command line (or its fw_cfg
entries) and so the ability to set a flag there is proof of physical
presence. (Access to the virtual machine disk images and virtual
machine command line is as close to "physical" as one can get.)
On coreboot, a similar solution could be accomplished by setting a
flag in CBFS (the flash). Granted, one doesn't need to be physically
present to reprogram the flash, but if one can reprogram the flash,
they could just as easily reprogram SeaBIOS anyway.