I once had a cheap Timex watch die from water ingress after running a track workout during a torrential downpour. At the time I joked that it only failed because we ran farther than the 100m rating
That's a bit surprising to me, wonder what the root cause of that was. It seems to be shared across multiple products at once so maybe they had a bad batch of cells?
If I remember correctly it's up to the client program to set up the session, not something to do with the vendor's implementation. It's conceptually similar to how an HTTPS client performs a TLS handshake after opening a socket before it can work with plain HTTP content.
It doesn't help that the TPM spec is so full of optional features (and the N spec versions), so it's often annoying to find out what the vendor even supports without signing an NDA + some.
TPMs work great when you have a mountain of supporting libraries to abstract them from you. Unfortunately, that's often not the case in the embedded world.
Even on desktop it's terrible, I wanted to protect some private keys of a Java application but there is no way to talk to a TPM using Java so handsandshouldersup gesture.
The TPM needs a way to authenticate your Java application, since the TPM otherwise does not know whether it's actually talking to your application or something pretending to be it.
This means you generally need an authenticated boot chain (via PCR measurements) and then have your Java app "seal" the key material to that.
It's not a problem with the TPM per-se, it's no different if you were using an external smartcard or HSM - the HSM still needs to ensure it's talking to the right app and not an impersonator (and if you use keypair authentication for that, then your app must store the keypair somewhere - you've just moved the authentication problem elsewhere).
Correct, unless you're using a self-encrypting drive the FVEK sits in RAM once it's been released by the TPM during boot. The TPM is only a root of trust; for fast crypto operations without keeping the key in kernel memory you would need something like Intel SGX or ARM TrustZone.
BitLocker no longer leverages SED by default due to vulnerabilities in drive manufactures firmware as of Sept 2019.
> Changes the default setting for BitLocker when encrypting a self-encrypting hard drive. Now, the default is to use software encryption for newly encrypted drives. For existing drives, the type of encryption will not change.
Take a look at Fretboard Theory by Desi Serna - it spends a lot of time on how different scales are constructed and relating different patterns and chord forms back to the underlying concepts.
If a static analyzer is sound, which is something that can be mathematically proven (formal method), will find ALL existing issues plus some false positives if it's not complete (which is almost always the case).
You can find incredibly cheap (nearly free) used servers for pickup if you’re patient. If you have cheap electricity (or better yet, provided with your lease), a 2013-era dual Xeon server is pretty compelling at $50.
Apple didn’t make that many, so they would be tough to find. And they were a really pain to actually use. I didn’t find them very friendly at all to work with physically. Very polished, but had a feel of being over engineered.
