WingNews logo WingNews GitHub [2]

FineWolf's comments

FineWolf | 7 months ago | on: Secure Boot, TPM and Anti-Cheat Engines

> But the article also says you can replace that public key, also they are from the motherboard, not CPU manufacturer.

No. The article does state that EKs come from your fTPM, which is part of your CPU package.

Without replacing your CPU, you are not replacing your EK, or `EKpub`.

Unless you install a discrete TPM, who's `EKpub` won't be signed by Intel or AMD; thus easily detectable as a discrete TPM.

FineWolf | 7 months ago | on: Secure Boot, TPM and Anti-Cheat Engines

The post does cover that briefly.

> If the TPM is virtualised (vTPM), the EKpub and EKcert validation will fail, as the EK won’t be signed by AMD or Intel.

Using `swtpm` will not give you the ability to create quotes of your PCR that are signed by an Endorsement Key that is itself signed by Intel or AMD.

It will be very obvious that you are using a self-generated key, possibly from a virtualised TPM.

Passing through the host's TPM will lead to multiple boot events being recorded, which will be flagged as an anomaly.

page 1