Re: Bulk encryption capabilities of a TPM

[Alexander Klimov <alserkli () inbox ru>]

Hi.

On Sun, 7 May 2006, Saqib Ali wrote:
> > As far as I can guess, it works as follows: ROM code hashes boot
> > sector and reports the result to the TPM, the boot sector hashes the
> > kernel, et cetera. Kernel reads a blob of data from disk (or USB, or
> > whatever) and asks TPM to decrypt the blob. The TPM uses his own key
> > for decryption of the blob, but TPM outputs the key only if the main
> > CPU's software hash matches the value stored in the blob.
>
> Does the blob of data contain the bulk encryption key?

Yes, blob contains (encrypted) key which is used for disk encryption.

> Or does the the TPM "only" decrypts the bulk encryption key, pass
> it to the CPU, which CPU uses for decryption the whole HDD??

Yes, TPM does not decrypt HDD -- it only extracts the key from the
blob and sends it to CPU.

> Thanks again.

Note again that all this is only an educated guess...

-- 
Regards,
ASK