Is is safe to "Enroll all Factory Default keys" in BIOS? [duplicate]

uefi secure-boot encryption

It sounds like you're not initializing BitLocker at all – these keys are for Secure Boot only, i.e. the PK/KEK/db/dbx variables. The default set configures Secure Boot to allow only operating systems signed by Microsoft (and sometimes by Canonical Ltd.), plus drivers signed by the PC manufacturer.

Secure Boot variables only store public certificates, not private keys, and they are not used for encrypting any data (only verifying signatures). Some firmwares might store them in the TPM-provided NVRAM in order to satisfy the "tamper-resistant" requirement that's in the spec, but other than that, these keys have nothing to do with TPMs.

Shouldn't I generate my own keys? 2b. If I initialize Bitlocker using these factory default keys, does that mean I'm using Infineon (TPM manufacturer) private keys?

TPM 2.0 has "user generated" and "factory default" as two separate worlds (aka key hierarchies) – it is not a toggle switch between the two, but each is used for a different purpose:

  • The "Owner" root key is used to encrypt further keys (including sealing the BitLocker volume key). It is always generated fresh when the user performs the "Take ownership" step. Windows does this step automatically at boot time (Is Initialized: True) and if you clear the TPM then Windows will generate a new key again.

    Certain operations on the "Owner" root key are password-protected (e.g. Windows generates a random password and throws it away). For that reason, initializing the Owner hierarchy is left to the OS – without knowing the password, the firmware can only clear it.

  • The "Endorsement" root key is used to sign attestation certificates (i.e. proofs that a real genuine Infineon TPM is performing the operation). It is factory-set and essentially read-only. BitLocker does not use this key.

  • There is also a "Platform" hierarchy that is used by the firmware itself. Your firmware might use it to store Secure Boot variables within the TPM's NVRAM. I believe HP laptops also store the firmware "setup" password this way.

If you're given a choice between "custom" and "factory default" keys, then it's most likely for Secure Boot, not for the TPM.

(Should you generate your own Secure Boot keys? Probably not. Doing so won't give you additional security for BitLocker or when booting Windows in general. But it can be useful for implementing BitLocker-alike systems on Linux.)

Related

Ubuntu 16.04 can't see my SSD partitions when installing alongside Windows 10
Nautilus crashes when accessing some folders
Unable to make changes in BIOS after 17.10 installation
Using Compiz by default in Unity 2D
Problem with TP-Link TL-WN823N
How do I resize app icons in applications overview on Ubuntu 18.04?
How can I install a newer kernel?
How do I type an `@` (at sign) symbol?
How to open ~/.pam_environment?
Applications not showing in Unity Dash
RealTek Wireless adapter issues. (RTL8192ce and RTL8192cu)
How can I start a separate instance (not profile) of Chromium, with its own icon?