07-14-2018 08:43 AM - edited 07-15-2018 02:30 AM
We are thinking of enabling TPM on our systems. But one thing bother us.
To generate Endorsement Keys and Storage Root Key, the different modules use their seeds.
Seeds which are generate during the manufacturing of the TPM ship.
So if someone could record those seeds during the manufacturing, the TPM become a weak point on the system, or even worse.
So, is it possible to regenerate those seeds ?
PS: I didn't see any mention of that on the official paper from Lenovo Press: "A Technical Introduction to the Use of Trusted Platform Module 2.0 with Linux"
Solved! Go to Solution.
07-18-2018 11:00 AM
TPM 2.0 has a platform hierarchy, which is indeed set at factory and can't be regenerated. But there are other hierarchies (including for encryption purpose) where root key isn't generated until you take ownership. And you can always clear the TPM and take ownership again.