Hello Alexander,

Thanks for the response. Few more questions..

> As far as I can guess, it works as follows: ROM code hashes boot
> sector and reports the result to the TPM, the boot sector hashes the
> kernel, et cetera. Kernel reads a blob of data from disk (or USB, or
> whatever) and asks TPM to decrypt the blob. The TPM uses his own key
> for decryption of the blob, but TPM outputs the key only if the main
> CPU's software hash matches the value stored in the blob.

Does the blob of data contain the bulk encryption key?

If the TPM is doing the decryption, why does the CPU needs to have the
key? Or does the the TPM "only" decrypts the bulk encryption key, pass
it to the CPU, which CPU uses for decryption the whole HDD??

Thanks again.
--
Saqib Ali, CISSP, ISSAP
Support http://www.capital-punishment.net
-----------
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15
-----------

[ reply ]