Re: [PLUG] chip

Rich Freeman via plug on 21 Jan 2022 17:21:18 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] chip

From: Rich Freeman via plug <plug@lists.phillylinux.org>
To: jeffv <jeffv@op.net>
Subject: Re: [PLUG] chip
Date: Fri, 21 Jan 2022 20:21:01 -0500
Cc: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Reply-to: Rich Freeman <r-plug@thefreemanclan.net>
Sender: "plug" <plug-bounces@lists.phillylinux.org>

On Fri, Jan 21, 2022 at 11:02 AM jeffv via plug
<plug@lists.phillylinux.org> wrote:
>
> For those worried about Microsoft's Pluton TPM chip: Lenovo won't even
> switch it on by default in latest ThinkPads

I haven't heard of Pluton before, but it just sounds like a TPM
implementation.  Most CPUs have them built-in these days, if not MS's
specific version.  They all can be used to lock a motherboard to a
signed OS, and newer CPUs also have the ability to be flashed with a
one-time signature that can further lock them to a signed firmware.
They can also do all the other stuff associated with TPMs like
full-disk encryption that only decrypts if the boot path is not
tampered with.  Linux and grub support TPMs in general - not sure
about Pluton specifically but I'm sure they'll add support for it if
not.  I'm not aware of any distros that take advantage of it, though
ChromeOS uses a TPM for user profile encryption in a way that is a
little unconventional.

I'm just saying this really is nothing new.

The TPM on my PC and convertible were both disabled by default in
firmware - I enabled them to use bitlocker on the convertible.

I do realize that this stuff can be used to lock down hardware, but
we've had secure boot for many years now and MS has yet to go back on
their promise not to require lockdown for Windows certification.
Actually, the last I heard for retail PCs they required it to NOT be
locked down to be certified.  This is why you can turn off secure boot
on all PCs (the exception they made was for some ARM hardware they
were selling at a loss though I don't think that went anywhere).

If somebody really wanted to they could probably add support to
coreboot and a distro so that you'd get an end-to-end signed firmware
and OS, using your own CA that you control, such that any tampering
with the OS or firmware would disable the device.  I think a lot of
modern CPUs also support memory encryption, so you could probably also
lock the entire thing down.  The concept of being able to lock down
the hardware isn't a bad thing.  It is just that the only people who
seem to bother using it are those who would desire to lock the system
down against its owner...

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] chip
  - From: Ronaldo Nascimento via plug <plug@lists.phillylinux.org>

References:
- [PLUG] chip
  - From: jeffv via plug <plug@lists.phillylinux.org>

Prev by Date: Re: [PLUG] patch Ubuntu now, Wine
Next by Date: Re: [PLUG] chip
Previous by thread: [PLUG] chip
Next by thread: Re: [PLUG] chip
Index(es):
- Date
- Thread