A Beginner's Guide to the TPM
Session information has not yet been published for this event.
One Line Summary
A talk about what the TPM can do, what it should be doing for you in Linux and how we can help it do that.
Every shipping laptop and desktop has had a TPM as part of its hardware inventory for a considerable while now, mostly because of windows which (currently) uses it for bitlocker disk encryption. However, the actual use cases in Linux are very few and we need to change that.
Among its many functions, the TPM can do Signing, private key shielding, measurement, attestation, binding and sealing. These terms are all highly technical security ones, so if you don’t know what they mean, this session will explain them all and the potential use cases.
However, to give a brief use case: key shielding allows a private RSA key to be deposited into shielded memory in a way that it can’t be extracted again. Once this is done the TPM can then sign (admittedly only with RSA2048 keys) any hash from an authenticated source. In theory this means it could shield your gpg key and all your ssh keys in a way that meant even if someone stole your laptop they couldn’t steal your keys. Essentially, this could replace the current GPG stick/crypto stick/yubikey approach to security devices with an easy to use in-laptop alternative which could easily be integrated with desktop key managers … why haven’t we done it yet? come and find out …
Although this talk will touch on the Trusted Security Stack (TSS) and give an overview, because that’s the way we have to talk to the TPM, this talk will mention the TSS as little as possible because it seems to be the primary reason for people avoiding the TPM.
security, TPM, encryption, signing
James Bottomley is a Distinguished Engineer at IBM Research where he
works on Cloud and Container technology. He is also Linux Kernel
maintainer of the SCSI subsystem. He has been a Director on the Board
of the Linux Foundation and Chair of its Technical Advisory Board. He
went to university at Cambridge for both his undergraduate and
doctoral degrees after which he joined AT&T Bell labs to work on
Distributed Lock Manager technology for clustering. In 2000 he helped
found SteelEye Technology, a High availability company for Linux and
Windows, becoming Vice President and CTO. He joined Novell in 2008 as
a Distinguished Engineer at Novell’s SUSE Labs, Parallels (later Odin)
in 2011 as CTO of Server Virtualization and IBM Research in 2016.