Forgot your password?
typodupeerror
Technology

IBM On Trusted Computing, Linux 36

Posted by timothy
from the trust-us-it's-linux dept.
An anonymous reader writes "A number of IBM's computers have been available with an "embedded security subsystem (ESS)" for some time now. This site lists three research papers regarding the new TCPA (Trusted Computing Platform Initiative) security chip developed by IBM, including the full GPL-ed source code to a Linux driver for this chip. In particular, the 'Why TCPA?' paper claims that IBM's TCPA chip is in fact of extremely limited use for DRM, as it contains no tamper resistance; the chip is designed to fend off software attacks, not physical attacks. An interesting take from a company with very solid products."
This discussion has been archived. No new comments can be posted.

IBM On Trusted Computing, Linux

Comments Filter:
  • DRM == no sale. (Score:1, Interesting)

    by Anonymous Coward
    It's that simple.

    ~~~

    • Re:DRM == no sale. (Score:4, Insightful)

      by ciaran_o_riordan (662132) on Monday May 19, 2003 @07:00PM (#5994899) Homepage
      Unfortunately, It's not that simple.

      There are two possibilities:

      M$ software will only run on Trusted Computers.
      RIAA music will only play on Trusted Computers.
      MPAA(?) movies will only play on Trusted Computers.
      M$ & Friends will pressure other software companies to require Trusted Computers, under the name of Security or Reliability or Legal-clarity.

      Option two is that non-Trusted computers could be made illegal, there is a draft of a proposal to make this law in USA. Will it happen? The RIAA, M$, and MPAA will claim it's necessary to prevent the growing "piracy" trend.

      If you do have the option of buying a general computer, you may find it's not much use. And if you put up with that, don't expect Joe Public to stand with you in solidarity, he'll be too busy bopping away to his new "enhanced" Hooty and the Blowfish CD.

      Ciaran O'Riordan
      • by Anonymous Coward
        RIAA music will only play on Trusted Computers.
        MPAA(?) movies will only play on Trusted Computers.

        You forgot "the first time" at the end of each of those sentences :).

      • Re:DRM == no sale. (Score:5, Interesting)

        by brianjcain (622084) on Monday May 19, 2003 @07:07PM (#5994939) Journal
        Apparently not...(Did you RTFA?) I had always been against TCPA, but here's an excerpt:
        What TCPA is Not Some of the papers critical of TCPA claim that TCPA is primarily intended to support Digital Rights Management (DRM), such as the copy protection of music or video data, on behalf of the content owners. They argue that TCPA would take away user rights on their own machines, preventing backup, time and space shifting of legally purchased content. Debating the merits of DRM is a complex, controversial topic, and won't be covered here. ... (Personally, I do not believe it is possible do provide effective copy protection at all, but that's another paper).


        The TCPA chip is not particularly suited to DRM. ...
        If you ask me, I would think Linux, et al could leverage whatever benefit provided by well-documented TCPA chips (if any), and ignore the others. You probably already didn't like Microsoft's software anyways, so why waste time worrying how they'll utilize TCPA?


        (Now gov't mandating of TCPA hw/sw is some seriously dangerous shit. Let's keep way away from there).
      • Re:DRM == no sale. (Score:3, Insightful)

        by Loosewire (628916) *
        i HATE what you just said...
        beacuse i know its true
        how many people do we all know who rushed to get windows media player 9. True example 1 "But tim - it gives them the right to delete all your Mp3's"
        "Yeah but they wouldnt do that would they - and anyway it has new flashy effects".
        True example 2 "But sam it is full of DRM and adds DRM to all your ripped tracks" -
        "Yeah but you can switch it off - look there's an option"
        "And if you beleive that then bill gates is my drinking buddy"
      • Oh well, Palladium is just nukes in one superpower's hand. Spreading the 'nukes' across different platforms will enforce a balance of power stalling unilateral strikes. I can only see trouble in the divide between different abilities provided by CA signed keys: cheap or free consumer keys Vs. developer keys (like domain wide SSL keys versus single host keys). This technology will become part of the platforms, we'd better start concentrating on the social model implememted in this technology rather that comp
      • There are two possibilities:

        M$ software will only run on Trusted Computers.
        RIAA music will only play on Trusted Computers.
        MPAA(?) movies will only play on Trusted Computers.
        M$ & Friends will pressure other software companies to require Trusted Computers, under the name of Security or Reliability or Legal-clarity.

        Security for whom? Security for MS, which will have yet another way to lock competitors out of the marketplace. Security for Disney et al., who will have a level of control over digital med

  • by Tumbleweed (3706) on Monday May 19, 2003 @07:08PM (#5994945)
    "Trust the computer. The computer is your friend."
    - bumpersticker seen on car in Microsoft parking lot :)
  • by stanwirth (621074) on Monday May 19, 2003 @07:09PM (#5994954)

    These are absolutely terrific articles. Their distribution of an open source TCPA linux module satisfies a lot of concerns and questions many of us had about TCPA in a concrete and specific manner.

    One concern still exists: that DRM and Palladium will be used to create a "mainstream" set of M$ applications which give people the illusion of security, while concentrating most of the information and control in the hands of the few.

    The most important step people in the open source community can take next are to get a system with a TCPA chip and start developing drivers, firewall systems, proxies and applications that make good solid use of the technology: tsshd, tsquid, tsftp, thttpsd, tbsd, toggd, tnamed, texim, tkonq...

  • In other words... (Score:4, Informative)

    by Eneff (96967) on Monday May 19, 2003 @07:29PM (#5995078)
    Ignore any threat of the local attack, the remote attack is the important one.

    Watch out with that line of thinking... The ideal system has reasonable internal security as well. If a disgruntled employee can get access to these public/private key pairs, you're worse off than before, because you still maintain the illusion of security.
    • Nope (Score:3, Informative)

      by DreadSpoon (653424)
      I think there is a communication problem here. The article used "remote" to mean not-in-hardware; i.e., all software. It didn't mean just over the network.

      An employee can get to the keys, but only by hacking the hardware. A possibility (as clearly explained in the articles), but not likely. It's also questionable when getting these keys would _do_; they only seem useful for the single machine itself. And I'd presume a good admin would clear/reset any keys if the machine is transfered to another employ
  • by curious.corn (167387) on Monday May 19, 2003 @08:05PM (#5995253)
    ... let's just, for a moment, cast aside paranoid suspicion (and I'm a paranoid & suspicious chap!). IFF these papers are correct TCPA is an encrypted storage location with some extra logic. In this location the user can store ~/.ssh/*.key and make shure the application interacting with the logic isn't sniffing the un-encrypted stream to some remote location. This NEEDS to be embedded in the BIOS to prevent kernel backdooring and simply embeds chain of trust throughout the hardware. I'd like to see this chip bussed to a smartcard to authenticate private root keys to a hashed ssh-agent binary (whether roaming on different PCs or on my own WS...)
    I'm also shure that MediaPlayer 10 will be DRMd to the marrow but take note that in the past ridiculously encumbered online music services went titsup in no time while more reasonable services (Apple) seem to strke a balance.
    In the past ID tracking such as the PentiumIII ID were dealt with properly so I don't think abuses would be tolerated. People always enjoys the empowering thought of having the option to take a free ride and imposing a "police" computer would vastly outrage the consumer base.
    So long as the control on the hadware keys is left to the users I agree with this particular spin from IBM; it's just a secure smartcard system.
    It still CAN be extended to require encryption and trust all the way to the DVI interface but that I think would require a heck of a business infrastructure to implement, maintain and persuasion effort.
    And given IBM's perspective there's no interest in the user base to proceed in further HW lockdown... all WE would do is to sign on OUR terms a kernel build and that's it; once that's in place, the chip will process OUR keys in OUR best interest... and if some pigopolist wants force something down our throat their business model will fail (as it has repeatedly done).
    I'd go for it, just for the sake of my ssh/gpg keyring, and in the future credit card numbers... do you trust an ecommerce site asking to handle it for you?)
  • Like cable modems... (Score:2, Informative)

    by zbowling (597617) *
    There ability to be attach locally is like cable modems firmware chips. Descused on CableModemHack.com [cablemodemhack.com] (A website of tools to uncap your cable modem), an effort to replace the firmware locally is underway for a lot of models of cable modems. It seems that cable modems are wonderful against software attacks, but very open to hardware attacks.

    Hardware attacks, I guess, are not a common senerio that hardware designers really think much about.
  • The big question (Score:5, Interesting)

    by spitzak (4019) on Monday May 19, 2003 @11:25PM (#5996313) Homepage
    The paper seems to skip around the huge unanswered question:
    Is there a private key that third parties know that it is impossible for the owner of the computer to know?

    The paper makes it sound like all key pairs are either randomly generated or that the chip can be fed a public key. However it is a bit vague, and I suspect the answer is that there are also non-random pairs in there, where third parties know the private key but you don't. They skirt around this by saying "Bios startup is quite complex" but I think the real answer is that there unless hashes have matched up to a point these secret public keys are inaccessible.

    This system is absolutely useless for security as all exploits actually cause supposedly correct programs to follow the wrong instructions. This is like claiming current systems are secure because you cannot change the microcode and invent new machine instructions. It's purpose is so that it is impossible to get any kind of modified or different operating system in there, and still be able to run DRM programs, which could decode information using the secret key.

    The fact that IBM and everybody else has refused to answer this question (I think the answer here was skirted around with some bullshit about the "BIOS startup being quite complex") makes me think they are lying.

    The fact that having a high-speed encryption chip is quite useful is being used to hide the real purpose. Do you really think the same people who think Winmodems are a good idea are that interested in adding hardware just to speed up a function that can be done in software?

    They also make a point about the random key generation, which is interesting, because it keeps the private key completely in the hardware where no program can see it and thus be fooled to reveal it. However I am curious if this is actually a defense against any real exploits. I have not heard of exploits that involve revealing the private key of a previously-negotiated pair, most involve fooling the system into doing something unwanted through an already opened and legitimate channel, or fooling it into using another public key that the attacker already knows the private one for. Can any experts find any real exploits where a temporary and untransmitted private key was revealed? If not then I would also suspect this is a smoke-screen, attempting to turn the fact that the chip has secret keys into a benefit. I would also think that 99% of the benifit, if any, could be achieved by loading the chip with a random pair and then making sure the program has eradicated all knowledge of the pair. There have been expoits in weak random number generators, and in this case the random number generator is in hardware and no longer easily fixed.

    and even the fact that you can generate key pairs

    • Re:The big question (Score:5, Interesting)

      by jareds (100340) on Tuesday May 20, 2003 @12:39AM (#5996618)

      The paper seems to skip around the huge unanswered question: Is there a private key that third parties know that it is impossible for the owner of the computer to know?

      The second paper on the page answers that question in the affirmative (sort of). The private part of the endorsement key is stored on the chip, the manufacturer may record the public part. The paper states that IBM does not currently and has never recorded endorsement keys. (Note that technically the answer to your question is "no": there would be a private key that the user does not know, but no third party would know it either. You misunderstand public key cryptography. However, your general point is well-taken, because the endorsement key could be used to implement DRM, subject to the obvious caveat the author brings up, that it would be vulnerable to local hardware attacks.)

    • Is there a private key that third parties know that it is impossible for the owner of the computer to know?

      My interpretation of the paper is that there are no keys at all in the TPM as shipped from the factory. Of course, this could change at any time.
  • by pair-a-noyd (594371) on Tuesday May 20, 2003 @02:03PM (#5999878)
    I will NOT use any system that involves FORCED TCPA, DRM, Fritz or any implementation of M$ code, embeded OS, hidden serial numbers, or any other Big Brother features.

    You people can use all that stuff you like, I will not.
    And when they finally force people to use it, in that you can not connect to other systems that DO use it unless you too use it, then that's when I become a total luddite and will just go live in the woods and live off the land...

    This whole thing stinks and no one can convince me otherwise...
  • When I have my own chip fab.

  • I downloaded this driver when it first came out (even though I don't have the hardware) and it looks like it only has low-level hardware communication code in it. To make it at all useful, you'll need a library that marshals and unmarshals commands to the chip, and I haven't seen such a library anywhere.
    • Excuse my ignorance, but would it not be possible to write a low-level program to intercept calls to a chip like this and reply to such calls with whatever answers you would like? I'm not a programmer nor software engineer but it seems to me that software calls to a hardware address could be redirected to a routine preloaded into RAM automatically and since the hardware address would be "hard-coded" it would be trivial to spoof the replying address if that were needed. If such is the case, all we would ne
  • In the "No Need for TCPA" paper, the author argues that TCPA isn't practical for DRM because:

    How could content providers recognize which reported PCR values were good, given the myriad platforms, operating system versions, and frequent software patches?

    This misses the point that the content providers don't need to check all those platforms/OSs/patches. They just need to check that all these components contain a signature from an "approved" authority. Without all required signatures, the user doesn't see

The study of non-linear physics is like the study of non-elephant biology.

Working...