Should security.tpm2 be enabled by default?

I saw that 20.09 now has security.tpm2.

Should it be enabled by default on system with tpm 2 support?

Are those chips trustworthy like the (Trusted Platform Module) name says?

I think I saw somewhere that we can use tpm for rng and storing keys.

1 Like

That would require support for detection in nixos-generate-config and given that it not even detects your graphics driver, I find that quite unlikely.

They are as trustworthy as the companies that make them and the governments of the countries of manufacture. For comparison I would say they are as trustworthy as the Intel Management Engine.

1 Like

Maybe that could be handled by nixos-hardware instead.

Is /dev/random (or urandom I don’t remember which one to use) trust-worthy with an Intel CPU if we don’t trust Intel?

They’re as trustworthy as they can get, but it’s important that you purchase them directly from the manufacturer without any 3rd parties.

As an example, if you buy a motherboard and a TPM module directly from MSI then your risk is not greater than the risk of buying the motherboard itself. If you buy the motherboard from a non-manufacturer source then you can still buy the TPM from the manufacturer, so your level of trust relies on how much you trust MSI (your motherboard manufacturer) in the end. If you didn’t trust them, you wouldn’t be using that motherboard.

Part of why the TPM isn’t integrated into the motherboard is to assure that you get it from the manufacturer - even if you buy your motherboard from another source.

1 Like
Hosted by Flying Circus.