Hacker News new | past | comments | ask | show | jobs | submit login

Since you seem to know a thing or two about this: what's your take on fTPM? Is it better/worse than a separate TPM module?



The answer is complicated.

IMHO It's clearly better than no TPM... as for whether it's better or worse than a physical chip, it's a different trade-off.

One one side you have:

- higher speed

- higher protection against physical attacks (if only because the die is larger... it's smaller and the "bus" isn't as trivial to interact with)

On the other:

- new side channels (think spectre, meltdown & friends) and they are probably easier to exploit thanks to the higher speed (more samples)

- more parties to trust (microcode, ME, ...)

- erasure is harder

For the specific purpose of hardening passphrases/keys ... use both. :p




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: