Sign in / up

* Posts by rsrsps

2 publicly visible posts • joined 16 Jan 2017

Google reveals its servers all contain custom security silicon

rsrsps
Reply Icon

Re: Tpm tee sed turn it on

just turning on the TPM isn't useful. you need to present the measurements to someone so that they can provide you with the means to unlock some resource that is needed (network access, a keychain, a specific secret, etc.).

the only use case for TPM in, say, a laptop is to enable TPM-bound SED. And that has its own problems - SW installs must be carefully managed to ensure that at a version boundary the SED can still be unlocked even though the TPM has changed - you can do this if you are a vendor [this is how we do it at skyportsys] but good luck if your workload is 2008-or-before-windows or linux and you aren't running on a platform like ours.

1 0
rsrsps

amusing

Interesting. We do basically all of this as a service for normal mortal enterprises at Skyport Systems (all of the attestation, etc.).

It's not easy to do especially because measurement is consistently not the most wonderful thing in the world to make robust given that the measurement/robustness of most BIOSes is pretty poor since no one is using it so the vendors mostly don't fix it. PCIe option roms, etc. need to be covered. A lot of vendors got caught with their pants down a few years back not even making the flash read-only after booting (and almost everyone screwed up update capsule validation!).

I am really curious if Google actually fails closed or open or some hybrid (fail to honeypot) when they see a failure.

1 0