[SeaBIOS] [PATCH v2 3/3] Add a menu for TPM control

[Kevin O'Connor]

On Wed, Jun 10, 2015 at 10:58:40AM -0400, Stefan Berger wrote:
> On 06/10/2015 10:38 AM, Kevin O'Connor wrote:
> >Thanks.  It does look much better to me.  What's the difference
> >between enabled and activated?  Can you describe it or point me to a
> >link?
> 
> So I'll ditch the physical presence part for now , ditch that bool patch and
> post the menu patch on top of the cleanups.
> 
> Here the link to the documentation about the TPM 1.2 states:
> 
> http://www.trustedcomputinggroup.org/resources/tpm_main_specification
> 
> Access document Part 1 - Design Principles. Section 9.4 and subsections
> explain the different states of the TPM 1.2.
> 
> From the spec 9.4.1:
> 
> "A disabled TPM is not able to execute commands that use the
> resources of a TPM. While some commands are available (SHA-1 for
> example) the TPM is not able to load keys and perform TPM_Seal and
> other such operations. These restrictions are the same as for an
> inactive TPM. The difference between inactive and disabled is that a
> disabled TPM is unable to execute the TPM_TakeOwnership command. A
> disabled TPM that has a TPM Owner is not able to execute normal TPM
> commands."
> 
> From the spec 9.4.2:
> 
> "A deactivated TPM is not able to execute commands that use TPM
> resources. A major difference between deactivated and disabled is
> that a deactivated TPM CAN execute the TPM_TakeOwnership
> command. [...]"

Thanks.  Unfortunately I'm still confused.

The above seems to say that the only difference between disabled and
deactivated is that one can't take ownership of a disabled TPM.  But,
if that's the case, when a tpm is active, why does the menu provide
for both "Deactivate the TPM" and "Prevent installation of an owner"?
(And, why would anyone want to take "ownership" of a TPM that is
disabled/deactivated anyway?)

-Kevin