[SeaBIOS] [PATCH v2 3/3] Add a menu for TPM control

Stefan Berger stefanb at linux.vnet.ibm.com
Fri Jun 12 14:02:33 CEST 2015

On 06/11/2015 06:34 PM, Kevin O'Connor wrote:
> On Wed, Jun 10, 2015 at 10:58:40AM -0400, Stefan Berger wrote:
>> On 06/10/2015 10:38 AM, Kevin O'Connor wrote:
>>> Thanks.  It does look much better to me.  What's the difference
>>> between enabled and activated?  Can you describe it or point me to a
>>> link?
>> So I'll ditch the physical presence part for now , ditch that bool patch and
>> post the menu patch on top of the cleanups.
>> Here the link to the documentation about the TPM 1.2 states:
>> http://www.trustedcomputinggroup.org/resources/tpm_main_specification
>> Access document Part 1 - Design Principles. Section 9.4 and subsections
>> explain the different states of the TPM 1.2.
>>  From the spec 9.4.1:
>> "A disabled TPM is not able to execute commands that use the
>> resources of a TPM. While some commands are available (SHA-1 for
>> example) the TPM is not able to load keys and perform TPM_Seal and
>> other such operations. These restrictions are the same as for an
>> inactive TPM. The difference between inactive and disabled is that a
>> disabled TPM is unable to execute the TPM_TakeOwnership command. A
>> disabled TPM that has a TPM Owner is not able to execute normal TPM
>> commands."
>>  From the spec 9.4.2:
>> "A deactivated TPM is not able to execute commands that use TPM
>> resources. A major difference between deactivated and disabled is
>> that a deactivated TPM CAN execute the TPM_TakeOwnership
>> command. [...]"
> Thanks.  Unfortunately I'm still confused.
> The above seems to say that the only difference between disabled and
> deactivated is that one can't take ownership of a disabled TPM.  But,
> if that's the case, when a tpm is active, why does the menu provide
> for both "Deactivate the TPM" and "Prevent installation of an owner"?
> (And, why would anyone want to take "ownership" of a TPM that is
> disabled/deactivated anyway?)

 From that link to the TPM 1.2 specs you see in section 9.4 that there 
are actually 3 independent state bits of the TPM:
- active/deactivated
- enabled/disabled
- taking ownership is possible / is not possible

These 3 bits can only be modified while one interacts with the firmware 
( physical presence must be asserted ). I am giving control in the menu 
over these 3 bits because the firmware is the right and only place to do 
this. I admit that these fine grained controls are confusing, though 
that's the controls TPM 1.2 allows per its spec.


> -Kevin

More information about the SeaBIOS mailing list