WHY libata.allow_tpm must be set to 1

[northPierre]

Hello, For what kind of operation TPM are used by the SED ? (i did not find in documentation)

[JaBoMa]

These may put some light on your doubts: https://github.com/Drive-Trust-Alliance/sedutil/issues/334 https://github.com/Drive-Trust-Alliance/sedutil/issues/90 Regards

[northPierre]

I would like to know more about the link betweem SED and TPM

[JaBoMa]

I'm sorry, but I am not an expert neither on Linux nor on SED. As far as I know, the TCG Opal SED does not use TPM, and I am sure of that. I have especially chosen the disk encrypted according to the Opal specification for my laptop, so that - in case of damage to the PC - I, or my employer, could use that disk with another computer. In theory, sedutil-cli could use TPM to hash a password fed to a disk. But I don't know if that is the case. If so, my belief that I could unlock my drive with another computer, would be devastated. It seems, however, based on the information in the discussion for post #90, that sedutil-cli uses an alphanumeric string associated with the given disk instance, not with the computer, to hash the password. Please note that you can also use sedutil-cli with the "-n" option to pass an unhashed password to the disk. I'm sorry, but - I'm afraid - I can't help more. You will have to find out more about TPM bindings with sedutil-cli and/or with Linux, or someone more knowledgeable about the problem will help you. Regards

[northPierre]

Thank you for this response JaBoMa, it's help me.

P.S if you know someone who would have more information, I'm realy intersested Regards

[r0m30]

There is no link between sedutil and the TPM. The reason allow_TPM needs to be set to 1 is that the kernel only allows TCG commands to be used on ata devices when that flag is set.