Chris Adams <cmadams <at> hiwaay.net> writes:
...
I think there is some misunderstanding about what the discussion is
supposed to be about. The supporting open source code is already in
Fedora. The feature request is simply to modify grubby/anaconda to set
up the boot entries to include the support by default (or when the
hardware is found).
Hi,
I think Fedora should be careful here - it is a minefield.
It is treacherous, as already expressed by other and competent people. Respect
them, there was a reason they said that.
I personally think that free and open-source product should stay away from
TPM entirely.
One one hand - it is about trusted boot:
This can already be achieved partially now, with open-source tools (GPG, etc),
and can be enhanced with e.g. a combination of hardware/software solution that
would be *non-hardwired*, *portable*, *open-source* and *"free"*, and up to
machine owner and user to utilize.
Signed where appropriate with *your* GPG key.
Think of what the trend and the state-of-art-and-mind are in regard to this;
Iwao's post is very helpful here.
http://lists.fedoraproject.org/pipermail/devel/2011-June/153456.html
This could be achieved now or soon without deep fundamental considerations,
by the open-source community itself.
On the other hand - it is about OS isolation (OS rings):
Ring (computer security)
http://en.wikipedia.org/wiki/Ring_%28computer_security%29
This is a separate issue, in my mind.
In this sense, TPM is about "ring -1", and in the future "ring -2",
etc :-)
This is about virtualization, and more.
It goes much deeper into OS design and architecture, hardware and software.
It should be addressed fundamentally by competent people, companies and
organizations.
Leave it to them, but watch and participate.
Finally.
Btw, TPM, or TXT exactly, can be hacked too (that has been done already).
JB