> the pin isn't always required.
replyFrom the perspective of the TPM, I have now learned that it is required for it to release the key.
Perhaps those updates didn't really reboot in the traditional sense. If you turn the machine fully off and then back on, and it still doesn't ask for a PIN... now you have my attention.
Bitlocker can be "paused", which really means the key is written unprotected to disk. This can be done by the user, but also happens temporarily during updates that would change bootchain measurements, because those measurements are used by the TPM to decrypt the key (hence changing them would make the key undecipherable).
replyI can see someone taking advantage of that under the assumption you can get the machine to update while it's powered on (and already unlocked)... but hopefully that's not what they're calling "TPM+PIN is vulnerable too".
reply