Loading system token on chrome start-up has been implemented for bug 655266 .
However, CL https://chromium-review.googlesource.com/c/512662/ has changed the behavior to only load the system token when the TPM is ready[1] on chrome start-up.
In the edge case of device enrollment, this means that:
- before enrollment, TPM is not ready, so the system token will not be loaded
- after enrollment, nothing re-triggers loading of system token on sign-in screen. Only affiliated user sign-in on chrome restart (including sign-out) will trigger it.
Currently this is not an issue, because the system token can contain no client certificates on a freshly enrolled device, as these can only be added in user sessions. In the future, we would also like to load the system token after device enrollment for:
- consistency
- future usecases
[1] ready means: TPM is available && TPM is owned && TPM is not being owned ()
Loading system token on chrome start-up has been implemented for bug 655266 .
However, CL https://chromium-review.googlesource.com/c/512662/ has changed the behavior to only load the system token when the TPM is ready[1] on chrome start-up.
In the edge case of device enrollment, this means that:
- before enrollment, TPM is not ready, so the system token will not be loaded
- after enrollment, nothing re-triggers loading of system token on sign-in screen. Only affiliated user sign-in on chrome restart (including sign-out) will trigger it.
Currently this is not an issue, because the system token can contain no client certificates on a freshly enrolled device, as these can only be added in user sessions. In the future, we would also like to load the system token after device enrollment for:
- consistency
- future usecases
[1] ready means: TPM is available && TPM is owned && TPM is not being owned (see TpmInit::IsTpmReady in src/platform2/cryptohome/tpm_init.cc)
Loading system token on chrome start-up has been implemented for bug 655266 .
However, CL https://chromium-review.googlesource.com/c/512662/ has changed the behavior to only load the system token when the TPM is ready[1] on chrome start-up.
In the edge case of device enrollment, this means that:
- before enrollment, TPM is not ready, so the system token will not be loaded
- after enrollment, nothing re-triggers loading of system token on sign-in screen. Only affiliated user sign-in OR chrome restart (including sign-out) will trigger it.
Currently this is not an issue, because the system token can contain no client certificates on a freshly enrolled device, as these can only be added in user sessions. In the future, we would also like to load the system token after device enrollment for:
- consistency
- future usecases
[1] ready means: TPM is available && TPM is owned && TPM is not being owned (see TpmInit::IsTpmReady in src/platform2/cryptohome/tpm_init.cc)
Comment 1 by pmarko@chromium.org
, May 23 2017