[SeaBIOS] [PATCH v2 3/3] Add a menu for TPM control

Stefan Berger stefanb at linux.vnet.ibm.com
Wed Jun 10 16:58:40 CEST 2015

On 06/10/2015 10:38 AM, Kevin O'Connor wrote:
> On Wed, Jun 10, 2015 at 07:12:29AM -0400, Stefan Berger wrote:
>> On 06/01/2015 12:54 PM, Kevin O'Connor wrote:
>>> On Tue, May 26, 2015 at 03:48:35PM -0400, Stefan Berger wrote:
>>>> This patch provides an addtional menu entry that enables the user to control
>>>> certain aspects of the TPM's state.
>>>> If a working TPM has been detected, the boot menu will look like this:
>>>> Select boot device:
>>>> 1. ata0-1: QEMU HARDDISK ATA-7 Hard-Disk (6144 MiBytes)
>>>> 2. Legacy option rom
>>>> 3. iPXE (PCI 00:03.0)
>>>> t. TPM Menu
>>>> Upon pressing t the TPM menu will be shown:
>>>> 1. Enable TPM
>>>> 2. Disable TPM
>>>> 3. Activate TPM
>>>> 4. Deactivate TPM
>>>> 5. Clear ownership
>>>> 6. Allow installation of owner
>>>> 7. Prevent installation of owner
>>>> Escape for previous menu.
>>>> TPM is enabled, active, does not have an owner but one can be installed.
>>> I'm okay with adding a "t" to the boot menu.  However, I think this
>>> sub-menu is too complex and cryptic.  (For example, I suspect most
>>> users wont even know what "TPM" means.)
>>> I think I'd prefer something like:
>>> t. TPM Configuration
>>> Upon pressing t the TPM menu will be shown:
>>> The Trusted Platform Module (TPM) is a hardware device in this
>>> machine.  It can help verify the integrity of system software.
>>> The current state of the TPM is:
>>>    Enabled
>>>    No ownership key has been installed
>>>    System software can install an ownership key
>>> Available options are:
>>>    d) Disable TPM and clear any ownership key settings
>>> If no change is desired or if this menu was reached by mistake, press
>>> ESC and this machine will be rebooted without change.
>>> Specifically, I think the menu should be a little more verbose (for
>>> users that just explore the menu), it should only be reached if the
>>> given hardware is present, and menu options should only be shown if
>>> they are actually available and make sense to invoke.
>>> -Kevin
>> Here's now the (code for the) menu I created. I hope it's an acceptable
>> middle-ground. This sub-menu will only be available if a TPM has been
>> detected on the machine. Also, only those menu items that can be selected at
>> the moment, considering the state of the TPM, are shown. The allowed
>> scancodes are collected in an array.
> Thanks.  It does look much better to me.  What's the difference
> between enabled and activated?  Can you describe it or point me to a
> link?

So I'll ditch the physical presence part for now , ditch that bool patch 
and post the menu patch on top of the cleanups.

Here the link to the documentation about the TPM 1.2 states:


Access document Part 1 - Design Principles. Section 9.4 and subsections 
explain the different states of the TPM 1.2.

 From the spec 9.4.1:

"A disabled TPM is not able to execute commands that use the resources 
of a TPM. While
some commands are available (SHA-1 for example) the TPM is not able to 
load keys and
perform TPM_Seal and other such operations. These restrictions are the 
same as for an
inactive TPM. The difference between inactive and disabled is that a 
disabled TPM is unable
to execute the TPM_TakeOwnership command. A disabled TPM that has a TPM 
Owner is not
able to execute normal TPM commands."

 From the spec 9.4.2:

"A deactivated TPM is not able to execute commands that use TPM 
resources. A major
difference between deactivated and disabled is that a deactivated TPM 
CAN execute the
TPM_TakeOwnership command. [...]"


> -Kevin

More information about the SeaBIOS mailing list