Ronaldo Nascimento via plug on 22 Jan 2022 07:07:19 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] chip


-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA256


What about the https://frame.work/laptop


They just released the firmware as open source.

https://github.com/FrameworkComputer/EmbeddedController

I am hoping for a AMD version before I buy.

-----BEGIN PGP SIGNATURE-----


iQEzBAEBCAAdFiEEzE929VrchZN2qaFunBqrMuPICOQFAmHsHXEACgkQnBqrMuPI

COTxEwgArzCAMkpRcJ1nz06T66aYvD9itGY0vku4Fb1PpzzK9IZU6rMP2Nc8kAhm

nqVeEAaJwzidYMpN7026uMgAJgTAeqvFU7yAcJO+Sarjs9oUrDkid5kYPiGrQjqF

Pke/VOOa0rppa/IwwtzEmnPvRBsKZv+Q9K5/0wVsF5w1MOqRv9nkewEsdwL8aiq2

3mZUirYopkoU79adSsibprCtLbuYqoesHacclCIH7ItM0b19bOOvKCHvprVhzPUj

bBpo+VczI6vG5rPJzgisbt2LScf0Jm5dokBE19+yudYCApip1RvjnasSEdGYMr3X

xEIe5MT/RdPRqSNcDc86VT/OP5RGEQ==

=1XK0

-----END PGP SIGNATURE-----



On Fri, Jan 21, 2022 at 8:21 PM Rich Freeman via plug <plug@lists.phillylinux.org> wrote:
On Fri, Jan 21, 2022 at 11:02 AM jeffv via plug
<plug@lists.phillylinux.org> wrote:
>
> For those worried about Microsoft's Pluton TPM chip: Lenovo won't even
> switch it on by default in latest ThinkPads

I haven't heard of Pluton before, but it just sounds like a TPM
implementation.  Most CPUs have them built-in these days, if not MS's
specific version.  They all can be used to lock a motherboard to a
signed OS, and newer CPUs also have the ability to be flashed with a
one-time signature that can further lock them to a signed firmware.
They can also do all the other stuff associated with TPMs like
full-disk encryption that only decrypts if the boot path is not
tampered with.  Linux and grub support TPMs in general - not sure
about Pluton specifically but I'm sure they'll add support for it if
not.  I'm not aware of any distros that take advantage of it, though
ChromeOS uses a TPM for user profile encryption in a way that is a
little unconventional.

I'm just saying this really is nothing new.

The TPM on my PC and convertible were both disabled by default in
firmware - I enabled them to use bitlocker on the convertible.

I do realize that this stuff can be used to lock down hardware, but
we've had secure boot for many years now and MS has yet to go back on
their promise not to require lockdown for Windows certification.
Actually, the last I heard for retail PCs they required it to NOT be
locked down to be certified.  This is why you can turn off secure boot
on all PCs (the exception they made was for some ARM hardware they
were selling at a loss though I don't think that went anywhere).

If somebody really wanted to they could probably add support to
coreboot and a distro so that you'd get an end-to-end signed firmware
and OS, using your own CA that you control, such that any tampering
with the OS or firmware would disable the device.  I think a lot of
modern CPUs also support memory encryption, so you could probably also
lock the entire thing down.  The concept of being able to lock down
the hardware isn't a bad thing.  It is just that the only people who
seem to bother using it are those who would desire to lock the system
down against its owner...

--
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug


--
Ronaldo Nascimento  =][=
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug