OLD | NEW |
(Empty) | |
| 1 # Introduction |
| 2 |
| 3 This page is meant to help keep track of [TPM](Glossary.md) use across the syste
m. It may not be up-to-date at any given point, but it's a wiki so you know wha
t to do. |
| 4 |
| 5 # Details |
| 6 |
| 7 * TPM ownership management: |
| 8 > > http://git.chromium.org/gitweb/?p=chromiumos/platform/cryptohome.git;a=blob;
f=README.tpm |
| 9 |
| 10 * TPM\_Clear is done (as in vboot\_reference) but in the firmware code itself
on switch between dev and verified modes and in recovery. (TODO: link code) |
| 11 |
| 12 * TPM owner password clearing (triggered at sign-in by chrome): |
| 13 > > http://git.chromium.org/gitweb/?p=chromium/chromium.git;a=blob;f=chrome/brow
ser/chromeos/login/login_utils.cc;h=9c4564e074c650bd91c27243c589d603740793bb;hb=
HEAD#l861 |
| 14 |
| 15 * PCR extend (no active use elsewhere): |
| 16 > > http://git.chromium.org/gitweb/?p=chromiumos/platform/vboot_reference.git;a=
blob;f=firmware/lib/tpm_bootmode.c |
| 17 |
| 18 * NVRAM use for OS rollback attack protection: |
| 19 > > http://git.chromium.org/gitweb/?p=chromiumos/platform/vboot_reference.git;a=
blob;f=firmware/lib/rollback_index.c |
| 20 |
| 21 * Tamper evident storage: |
| 22 > > http://git.chromium.org/gitweb/?p=chromiumos/platform/cryptohome.git;a=blob;
f=README.lockbox |
| 23 |
| 24 * Tamper-evident storage for avoiding runtime device management mode changes: |
| 25 > > http://git.chromium.org/gitweb/?p=chromium/chromium.git;a=blob;f=chrome/brow
ser/chromeos/login/enrollment/enterprise_enrollment_screen.cc |
| 26 |
| 27 * User key/passphrase and cached data protection: |
| 28 > > http://git.chromium.org/gitweb/?p=chromiumos/platform/cryptohome.git;a=blob;
f=README.homedirs |
| 29 |
| 30 * A TPM in a Chrome device has an EK certificate that is signed by an intermed
iate certificate authority that is dedicated to the specific TPMs allocated for
use in Chrome devices. OS-level self-validation of the platform TPM should be vi
able with this or chaining any other trust expectations. |
| 31 |
| 32 * TPM is used for per-user certificate storage (NSS+PKCS#11) using opencryptok
i but soon to be replaced by chaps. Update links here when chaps stabilizes (Eac
h user's pkcs#11 key store is kept in their homedir to ensure it is tied to the
local user account) This functionality includes VPN and 802.1x-related keypairs
. |
OLD | NEW |