build: enable TPM by default? #1815

jonboulle · 2015-12-01T03:31:54Z

Capturing discussion from #1775 (diff) - I wrote:

... this is just deciding to build with TPM based on whether the header is present; I'm wondering if we should instead make it a ./configure flag. (This arguably collapses into my question about error handling; if that degrades safely in the no-tpm-actually-present-on-running-system case, then maybe we should just ALWAYS build with TPM?)

@mjg59 wrote:

I don't have strong feelings - I think there's maybe a stronger argument for a disable flag than an enable one?

Following our "secure by default" philosophy, I'm inclined to agree - we should consider making tpm the default build behaviour (requiring those libs, rather than autodetecting them), and providing an opt-out option to configure.

jonboulle added area/developer tooling kind/friction area/security labels Dec 1, 2015

jonboulle added this to the v0.14.0 milestone Dec 1, 2015

jonboulle mentioned this issue Dec 1, 2015

stage0: add container hash data into TPM #1775

Merged

iaguis mentioned this issue Dec 4, 2015

release v0.13.0 #1839

Merged

alban modified the milestones: v0.16.0, v0.15.0 Jan 7, 2016

alban assigned krnowak Jan 7, 2016

jonboulle mentioned this issue Jan 19, 2016

stage0: re-evaluate tpm.Extend in critical path #1816

Closed

alban added the priority/P2 label Jan 19, 2016

krnowak mentioned this issue Jan 19, 2016

build: Add configure flags for controlling tpm logging #1996

Merged

alban modified the milestones: v1.0.0, v0.16.0 Jan 20, 2016

jonboulle modified the milestones: v1.1.0, v1.0.0 Jan 27, 2016

5852 alban closed this as completed in #1996 Feb 1, 2016

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build: enable TPM by default? #1815

build: enable TPM by default? #1815

build: enable TPM by default? #1815

build: enable TPM by default? #1815

Comments