Talk:Trusted Platform Module
There should be some indication of where to find tcsd prior to listing commands which invoke it. Generally, moving onto later steps without resolving problems implementing earlier ones is not a good strategy for following wiki instructions, yet this page currently requires this. [I would edit, but the page clearly needs much more significant editing to update it and I'm not in a position to do that.] --cfr (talk) 16:09, 3 November 2017 (UTC)
Uses and security implications
I'm still not sure what TPM is used for and whether or not it's a good idea to use it at all. It seems like TPM can be used to store LUKS private keys . What's the point of that? It seems like Windows uses it so that a user only has to enter their user password both to unlock the partition and to login . VeraCrypt (and previously TrueCrypt) is against the usage of TPM.  —This unsigned comment is by Rdeckard (talk) 11:39, 23 February 2018. Please sign your posts with ~~~~!
The article doesn't reflect the current status of TPM2. It should tell users information about tpm2-toolsAUR --Jambon (talk) 04:01, 10 June 2018 (UTC)
PCR 0 sould be avoided
--tpm2-pcrs=0+7 flag is flat out wrong, but copied from howto to howto. :-/ (It appeared in a few blogposts, e.g. here, sometimes even with a
, instead of a
+, which is “doubly wrong”, in a way.)
man page for
systemd-cryptenroll explicitly discourages the use of PCR 0: “For most applications it should be sufficient to bind against PCR 7… …it's typically not advisable to include PCRs such as 0…”
The reason is that the key should not be bound to PCRs that change routinely and whose changes are benign. This includes system firmware (PCR 0). On recent Lenovo laptops, for example, firmware updates (
fwupdmgr refresh; fwupdmgr upgrade;) can appear often, perhaps monthly. The key enrollment should not be invalidated after each firmware upgrade.
That↑ said, the default PCR 7 (picked in absence of the
--tpm2-pcrs flag) is all that’s needed.