On Tue, Nov 20, 2018 at 09:17:59AM -0800, James Bottomley wrote:

OK, the TPM is supposed to provide attestation of the correct
environment on a device under someone else's control (the classic
example is laptop provided by a company to an employee).  The device is
under the physical control of the entity you don't entirely trust so
the TPM is supposed to attest that they're running an approved OS ...
we have whole TCG specs for that situation.

For me the classic scenario would be more like protecting the employee
that you have given confidential data from 3rd party adversaries.  If an
employee that you get confidential data is in fact an adversary, you are
screwed. Even if the device is untampered.

Having less likely untampered device would still be for better direction
against 3rd party adversaries but alone this does not really solve the
puzzle.

There are technologies like ARM TZ and Intel SGX to provide more secure
host side. But if you have such technologies available you can use them
to run the whole TPM and the problem is solved (at least TZ is used for
this today and you could use SGX to do the same).

/Jarkko