[SeaBIOS] [PATCH v2 3/3] Add a menu for TPM control
stefanb at linux.vnet.ibm.com
Wed Jun 10 16:58:40 CEST 2015
On 06/10/2015 10:38 AM, Kevin O'Connor wrote:
> On Wed, Jun 10, 2015 at 07:12:29AM -0400, Stefan Berger wrote:
>> On 06/01/2015 12:54 PM, Kevin O'Connor wrote:
>>> On Tue, May 26, 2015 at 03:48:35PM -0400, Stefan Berger wrote:
>>>> This patch provides an addtional menu entry that enables the user to control
>>>> certain aspects of the TPM's state.
>>>> If a working TPM has been detected, the boot menu will look like this:
>>>> Select boot device:
>>>> 1. ata0-1: QEMU HARDDISK ATA-7 Hard-Disk (6144 MiBytes)
>>>> 2. Legacy option rom
>>>> 3. iPXE (PCI 00:03.0)
>>>> t. TPM Menu
>>>> Upon pressing t the TPM menu will be shown:
>>>> 1. Enable TPM
>>>> 2. Disable TPM
>>>> 3. Activate TPM
>>>> 4. Deactivate TPM
>>>> 5. Clear ownership
>>>> 6. Allow installation of owner
>>>> 7. Prevent installation of owner
>>>> Escape for previous menu.
>>>> TPM is enabled, active, does not have an owner but one can be installed.
>>> I'm okay with adding a "t" to the boot menu. However, I think this
>>> sub-menu is too complex and cryptic. (For example, I suspect most
>>> users wont even know what "TPM" means.)
>>> I think I'd prefer something like:
>>> t. TPM Configuration
>>> Upon pressing t the TPM menu will be shown:
>>> The Trusted Platform Module (TPM) is a hardware device in this
>>> machine. It can help verify the integrity of system software.
>>> The current state of the TPM is:
>>> No ownership key has been installed
>>> System software can install an ownership key
>>> Available options are:
>>> d) Disable TPM and clear any ownership key settings
>>> If no change is desired or if this menu was reached by mistake, press
>>> ESC and this machine will be rebooted without change.
>>> Specifically, I think the menu should be a little more verbose (for
>>> users that just explore the menu), it should only be reached if the
>>> given hardware is present, and menu options should only be shown if
>>> they are actually available and make sense to invoke.
>> Here's now the (code for the) menu I created. I hope it's an acceptable
>> middle-ground. This sub-menu will only be available if a TPM has been
>> detected on the machine. Also, only those menu items that can be selected at
>> the moment, considering the state of the TPM, are shown. The allowed
>> scancodes are collected in an array.
> Thanks. It does look much better to me. What's the difference
> between enabled and activated? Can you describe it or point me to a
So I'll ditch the physical presence part for now , ditch that bool patch
and post the menu patch on top of the cleanups.
Here the link to the documentation about the TPM 1.2 states:
Access document Part 1 - Design Principles. Section 9.4 and subsections
explain the different states of the TPM 1.2.
From the spec 9.4.1:
"A disabled TPM is not able to execute commands that use the resources
of a TPM. While
some commands are available (SHA-1 for example) the TPM is not able to
load keys and
perform TPM_Seal and other such operations. These restrictions are the
same as for an
inactive TPM. The difference between inactive and disabled is that a
disabled TPM is unable
to execute the TPM_TakeOwnership command. A disabled TPM that has a TPM
Owner is not
able to execute normal TPM commands."
From the spec 9.4.2:
"A deactivated TPM is not able to execute commands that use TPM
resources. A major
difference between deactivated and disabled is that a deactivated TPM
CAN execute the
TPM_TakeOwnership command. [...]"
More information about the SeaBIOS