Yeah, this requires some form of remote attestation to handle the policy - you can't validate it locally. The quote from the TPM is signed with a key that chains back to the TPM's endorsement key (and the EK certificate certifies that it chains back to the TPM manufacturer) so it's not arbitrarily fakeable, and there's an embedded nonce that's provided by the system requesting the quote so you can't just replay old quotes.
Power management, mobile and firmware developer on Linux. Security developer at Aurora. Ex-biologist. mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer. Also on Mastodon.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Re: Confused
Date: 2016-04-05 04:01 am (UTC)