Someone wrote in [personal profile] mjg59 2013-05-08 01:29 pm (UTC)

Re: Let the TPM do the enforcement...

Think of the PCR enforcement as a signature check on your running OS at the time the secret is released. I think its hard to claim there's no value in that. Some will argue that the binding between PCR state and OS state is too weak - you can potentially replay an event log to put PCRs into a known state - and that's a valid criticism. But there are a lot of trade offs here in terms of other types signature checks vs using a TPM.

I've been blogging about some of these issues over here: https://www.ibm.com/developerworks/community/blogs/smartersecurity

Kent
(38 comments)

Post a comment in response:

If you don't have an account you can create one now.
HTML doesn't work in the subject.
More info about formatting

If you are unable to use this captcha for any reason, please contact us by email at support@dreamwidth.org

 
Notice: This account is set to log the IP addresses of everyone who comments.
Links will be displayed as unclickable URLs to help prevent spam.