On 9/23/19 12:12 PM, Philipp Stanner wrote:

I've recently flashed coreboot with SeaBIOS and discovered that you folks have added some support in the boot menu to configure the TPM since I last used SeaBIOS.

Now, I never had any direct contact to TPM and only know roughly what it does. As far as I know it's used as a cryptographic coprocessor among other things.

The menu's options confuse me: d. Disable the TPM v. Deactivate the TPM p. Prevent installation of an owner

Why would I want to activate or deactivate it? What's the difference between disabling and deactivating?

Its supports different levels of deactivating TPM functionality.

And who's the owner? What's this good for?

The owner would typically be the admin of the machine and once the TPM 1.2 has a owner it enables certain functionality such as have it create keys.

The only thing I'm concerned about is that some troll could do something fishy with this when having access to the machine.

If you are concerned about this and you don't need the TPM 1.2 it's probably best to deactivate and disable it or remove the driver from the OS.

Would I suffer negative consequences if I disabled TPM support in SeaBIOS config before building?

Unless you decided to use the TPM you are probaby fine if you turn it off.

Stefan

Cheers P. _______________________________________________ SeaBIOS mailing list -- seabios@seabios.org To unsubscribe send an email to seabios-leave@seabios.org