Comment by AstralStorm
4 months ago
No, these should exist in the TPM and highly volatile memory like CPU cache. This including the decryption code. This can be achieved using mechanisms similar to what Coreboot does before RAM is initialized.
No need for the keys or decryption to touch easily intercepted and rowhammered RAM.
Yes, I think we’re saying the same thing. A TPM is a Secure Enclave.