OLD | NEW |
1 # TPM Quick ref | 1 # TPM Quick ref |
2 | 2 |
3 TODO: this page looks very outdated. glossary.md does not exist, | 3 TODO: this page looks very outdated. glossary.md does not exist, |
4 git.chromium.org does not exist. Delete it? | 4 git.chromium.org does not exist. Delete it? |
5 | 5 |
6 This page is meant to help keep track of TPM use across the system. It may not | 6 This page is meant to help keep track of TPM use across the system. It may not |
7 be up-to-date at any given point, but it's a wiki so you know what to do. | 7 be up to date at any given point, but it's a wiki so you know what to do. |
8 | 8 |
9 ## Details | 9 ## Details |
10 | 10 |
11 * [TPM ownership management](http://git.chromium.org/gitweb/?p=chromiumos/plat
form/cryptohome.git;a=blob;f=README.tpm) | 11 * [TPM ownership management](http://git.chromium.org/gitweb/?p=chromiumos/plat
form/cryptohome.git;a=blob;f=README.tpm) |
12 * TPM_Clear is done (as in vboot_reference) but in the firmware code itself on | 12 * TPM_Clear is done (as in vboot_reference) but in the firmware code itself on |
13 switch between dev and verified modes and in recovery. (TODO: link code) | 13 switch between dev and verified modes and in recovery. (TODO: link code) |
14 * [TPM owner password clearing](http://git.chromium.org/gitweb/?p=chromium/chr
omium.git;a=blob;f=chrome/browser/chromeos/login/login_utils.cc;h=9c4564e074c650
bd91c27243c589d603740793bb;hb=HEAD#l861) | 14 * [TPM owner password clearing](http://git.chromium.org/gitweb/?p=chromium/chr
omium.git;a=blob;f=chrome/browser/chromeos/login/login_utils.cc;h=9c4564e074c650
bd91c27243c589d603740793bb;hb=HEAD#l861) |
15 (triggered at sign-in by chrome): | 15 (triggered at sign-in by chrome): |
16 * [PCR extend](http://git.chromium.org/gitweb/?p=chromiumos/platform/vboot_ref
erence.git;a=blob;f=firmware/lib/tpm_bootmode.c) | 16 * [PCR extend](http://git.chromium.org/gitweb/?p=chromiumos/platform/vboot_ref
erence.git;a=blob;f=firmware/lib/tpm_bootmode.c) |
17 (no active use elsewhere): | 17 (no active use elsewhere): |
18 * [NVRAM use for OS rollback attack protection](http://git.chromium.org/gitweb
/?p=chromiumos/platform/vboot_reference.git;a=blob;f=firmware/lib/rollback_index
.c) | 18 * [NVRAM use for OS rollback attack protection](http://git.chromium.org/gitweb
/?p=chromiumos/platform/vboot_reference.git;a=blob;f=firmware/lib/rollback_index
.c) |
19 * [Tamper evident storage](http://git.chromium.org/gitweb/?p=chromiumos/platfo
rm/cryptohome.git;a=blob;f=README.lockbox) | 19 * [Tamper evident storage](http://git.chromium.org/gitweb/?p=chromiumos/platfo
rm/cryptohome.git;a=blob;f=README.lockbox) |
20 * [Tamper-evident storage for avoiding runtime device management mode changes]
(http://git.chromium.org/gitweb/?p=chromium/chromium.git;a=blob;f=chrome/browser
/chromeos/login/enrollment/enterprise_enrollment_screen.cc) | 20 * [Tamper-evident storage for avoiding runtime device management mode changes]
(http://git.chromium.org/gitweb/?p=chromium/chromium.git;a=blob;f=chrome/browser
/chromeos/login/enrollment/enterprise_enrollment_screen.cc) |
21 * [User key/passphrase and cached data protection](http://git.chromium.org/git
web/?p=chromiumos/platform/cryptohome.git;a=blob;f=README.homedirs) | 21 * [User key/passphrase and cached data protection](http://git.chromium.org/git
web/?p=chromiumos/platform/cryptohome.git;a=blob;f=README.homedirs) |
22 * A TPM in a Chrome device has an EK certificate that is signed by an | 22 * A TPM in a Chrome device has an EK certificate that is signed by an |
23 intermediate certificate authority that is dedicated to the specific TPMs | 23 intermediate certificate authority that is dedicated to the specific TPMs |
24 allocated for use in Chrome devices. OS-level self-validation of the | 24 allocated for use in Chrome devices. OS-level self-validation of the |
25 platform TPM should be viable with this or chaining any other trust | 25 platform TPM should be viable with this or chaining any other trust |
26 expectations. | 26 expectations. |
27 * TPM is used for per-user certificate storage (NSS+PKCS#11) using | 27 * TPM is used for per-user certificate storage (NSS+PKCS#11) using |
28 opencryptoki but soon to be replaced by chaps. Update links here when chaps | 28 opencryptoki but soon to be replaced by chaps. Update links here when chaps |
29 stabilizes (Each user's pkcs#11 key store is kept in their homedir to ensure | 29 stabilizes (Each user's pkcs#11 key store is kept in their homedir to ensure |
30 it is tied to the local user account). This functionality includes VPN and | 30 it is tied to the local user account). This functionality includes VPN and |
31 802.1x-related keypairs. | 31 802.1x-related keypairs. |
OLD | NEW |