[SeaBIOS] [PATCH v2 3/3] Add a menu for TPM control
stefanb at linux.vnet.ibm.com
Fri Jun 12 14:02:33 CEST 2015
On 06/11/2015 06:34 PM, Kevin O'Connor wrote:
> On Wed, Jun 10, 2015 at 10:58:40AM -0400, Stefan Berger wrote:
>> On 06/10/2015 10:38 AM, Kevin O'Connor wrote:
>>> Thanks. It does look much better to me. What's the difference
>>> between enabled and activated? Can you describe it or point me to a
>> So I'll ditch the physical presence part for now , ditch that bool patch and
>> post the menu patch on top of the cleanups.
>> Here the link to the documentation about the TPM 1.2 states:
>> Access document Part 1 - Design Principles. Section 9.4 and subsections
>> explain the different states of the TPM 1.2.
>> From the spec 9.4.1:
>> "A disabled TPM is not able to execute commands that use the
>> resources of a TPM. While some commands are available (SHA-1 for
>> example) the TPM is not able to load keys and perform TPM_Seal and
>> other such operations. These restrictions are the same as for an
>> inactive TPM. The difference between inactive and disabled is that a
>> disabled TPM is unable to execute the TPM_TakeOwnership command. A
>> disabled TPM that has a TPM Owner is not able to execute normal TPM
>> From the spec 9.4.2:
>> "A deactivated TPM is not able to execute commands that use TPM
>> resources. A major difference between deactivated and disabled is
>> that a deactivated TPM CAN execute the TPM_TakeOwnership
>> command. [...]"
> Thanks. Unfortunately I'm still confused.
> The above seems to say that the only difference between disabled and
> deactivated is that one can't take ownership of a disabled TPM. But,
> if that's the case, when a tpm is active, why does the menu provide
> for both "Deactivate the TPM" and "Prevent installation of an owner"?
> (And, why would anyone want to take "ownership" of a TPM that is
> disabled/deactivated anyway?)
From that link to the TPM 1.2 specs you see in section 9.4 that there
are actually 3 independent state bits of the TPM:
- taking ownership is possible / is not possible
These 3 bits can only be modified while one interacts with the firmware
( physical presence must be asserted ). I am giving control in the menu
over these 3 bits because the firmware is the right and only place to do
this. I admit that these fine grained controls are confusing, though
that's the controls TPM 1.2 allows per its spec.
More information about the SeaBIOS