6 comments

[ 2.9 ms ] story [ 27.4 ms ] thread
What version of TPM does this apply to? I've yet to dig deeper into TPM, but what I have read so far is that TPM 1.2 is a nightmare, but TPM 2.0 starts to get reasonable.
TrouSerS and tpm-tools supports TPM 1.2, and tss2 with tpm2-tools supports TPM 2.0. Also, I'm not aware of any hardware with BIOS firmware and TPM 2.0 even if nothing prevents the combination, TPM 2.0 post-dates UEFI. Consumer hardware circa 2016 is when I started seeing predominantly TPM 2.0 appearing.
Yes, the TrustedGRUB2 doesn't yet support UEFI. I wonder will the guide still work if I simply boot in BIOS mode. All motherboards give you both boot options for any bootable drive.
Most, but not all boards with UEFI offer a compatibility support module to present a faux BIOS to the bootloader and OS. The presentation of both options is misleading, in particular the ones that refer to it as "UEFI enable/disable". Anyway if you boot with the faux BIOS, trustgrub2 will work, but no idea whether the TPM is supported via that CSM interface.
My (too simple) TLDR from other thread:

TPM measures stuff, then we put the key in TPM and seal it to PCRs 0-13 measurements (whole boot environment). At boot, TPM will allow tcsd daemon (part of initrd) to read LUKS key once, and only if all measurements match, this is as far as I got. End result is unlocked volume, without any passphrase prompts, neither on console nor via ssh.

https://news.ycombinator.com/item?id=19527493

Update. There were successful TPM attacks by sniffing data from LPC bus wires connecting TPM chip by HW logic analysers. The data is unecripted. "TPM2.0 devices support command and response parameter encryption, which would prevent the sniffing attacks. Windows doesn’t configure this though,". This prevents bare-metal in datacenter use case.

https://pulsesecurity.co.nz/articles/TPM-sniffing