AMI Introduces 'Trusted Computing' BIOS

An anonymous reader writes "American Megatrends announced its 'trusted computing' Palladium BIOS on Jan 6. It seems that the encrypted BIOS' integrity will be verified by a special chip or flash ROM, and will in turn verify the 'authenticity, integrity and privacy' of the boot loader and the operating system. Does that mean such machines may refuse to boot any other non-'trusted' OS? After all, the list of supporting corporations include AMD, Intel, IBM, and HP, of whom we heard quite favourable statements about Linux (just for example -- *BSDs will be equally affected) so far."

The Inquirer has more info

[dudeX]

If you read the Inquirer www.theinquirer.net , they cover this announcement.

A representative from AMI explains some of the ideas behind the Trusted Computing initiave.

What isnt stated

[briancnorton]

If you have a palladium processor and palladium motherboard, hard drive whatever, you arent going to be limited to a palladium enabled OS, you just wont be able to use the benefits of a palladium trusted environment. So said microsoft anyhow.

Re:What isnt stated

[harlows_monkeys]

What benefits? Best I can tell, trusted computing provides me, a consumer, no benefits over what exist today

How about better online games? Consider MMORPGs. To prevent cheating, they have to do various things server-side that would actually make more sense from a resource allocation point of view to do on the client.

For example, DAoC has to handle stealth on the server, calculating who should be able to see a stealthed character, and only sending that character's positions to clients that should see him, so that people with DAoC's equivalent of ShowEQ won't see them. However, those people can still see people who are hiding behind trees or hills or buildings--it would be too much work for the server to do the visibility calculations for everyone.

With a trusted client, they could just send the data on everyone in the area, and trust the client to not show what the player is not supposed to see.

Or how about monster AI? The monsters could be a lot smarter if they could run the AI on the client, instead of on the server.

No it doesn't.

[Kickasso]

If it's true to spec, it will load anything. Just not in the trusted mode.

Comment removed

[account_deleted]

Comment removed based on user account deletion

It will enable you to get DRMed content.

[Kickasso]

That's it. A remote site can know whether or not you're running a trusted (IOW "unhackable") OS/apps. If you do, they'll send you decryption keys for playback and be reasonably sure you won't intercept them, store them permanently etc.

Re:Can it boot "Non-Trusted OS's"?

[Nicolai+Haehnle]

You mean like http://www.linuxbios.org/? ;)

Re:Not necessarily for the masses

[dpbsmith]

Plus, it's always possible that "the first of these" will come out running any OS; then the upgrade that is necessary to correct serious bugs will turn out to have the unadvertised side effect of locking out other OS'es; and only then will people notice that it said that might happen in fine-print legalese twenty pages down in the EULA.

There's a lot of precedent for this. (Ask anyone who took advantage of the upgrade deal on their REB1100 eBook device, for example). Its predecessor, the Rocket eBook let you download your own content into the device. The REB1100 was only advertised as allowing the download of purchased content, but actually permitted download of personal content too. Then a "stealth" upgrade removed that feature.

Trusted Computing

[evenprime]

Everyone on /. seems to be thinking about the potential for this to be used in DRM or religious wars about OS. Those are valid concerns. It is worth pointing out, though, that this BIOS has the potential to be used for less nefarious purposes; i.e. trusted hardware systems can be part of trusted platforms, which most security practitioners believe to be more secure. The idea of trusted hardware has been around at least as long as the Orange Book has existed. Specifically, it said:

No computer system can be considered truly secure if the basic hardware and software mechanisms that enforce the security policy are themselves subject to unauthorized modification or subversion.

Now, whether or not trusted systems actually are more secure is a different issue.

Re:Trusted Computing

[JoeBuck]

Right, but the military (the authors of the Orange Book) are operating from similar assumptions as Hollywood: the operator of the machine is considered an untrustworthy person whose behavior must be carefully controlled. In this context, he or she must be prevented from bypassing operating system checks. Military multi-level security is also a form of DRM, and seeks to restrict even the most "trusted" users. And this may be entirely appropriate in many circumstances.

The question is whether the purchaser of a machine is entitled to the equivalent of root or administrator privilege on the machine he or she owns, or whether the true administrator of the machine will live in Redmond or Washingon DC or Hollywood.

Re:Trusted to do what?

[TheSHAD0W]

Palladium and open-source are pretty close to mutually exclusive. One COULD make a trusted *ix distribution, but either (1) the Palladium key would be held only by the distributor, and anyone writing patches would have to run the OS in untrusted mode, or (2) the Palladium key would be publically available -- and therefore no one would write trusted apps for it, for what would be the point? I do not know whether one could generate a working key from out of the blue, either.

It doesn't...

[Kjella]

It just sends a wake-up call to the TPM chip. "Hey can you take a look at me and tell me I'm clean?" The TPM chip is still the top-level.

Re:before eveyone gets all worked up

but who authorizes the signature ? and it will need to be resigned everytime you recompile. A verisign certificate is not a cheap thing, I am sure that the OS certificate will be a BIG EXPENSE as well.

Read the TCPA / Palladium FAQ

[vinsci]

Ross Andersson at the University of Cambridge has written an excellent introduction to TCPA / Palladium, which explains both sides of the story.

Read it here: http://www.cl.cam.ac.uk/%7Erja14/tcpa-faq.html

The two last sections are worth repeating here:

24. So why is this called `Trusted Computing'? I don't see why I should trust it at all!

It's almost an in-joke. In the US Department of Defense, a `trusted system or component' is defined as `one which can break the security policy'. This might seem counter-intuitive at first, but just stop to think about it. The mail guard or firewall that stands between a Secret and a Top Secret system can - if it fails - break the security policy that mail should only ever flow from Secret to Top Secret, but never in the other direction. It is therefore trusted to enforce the information flow policy.

Or take a civilian example: suppose you trust your doctor to keep your medical records private. This means that he has access to your records, so he could leak them to the press if he were careless or malicious. You don't trust me to keep your medical records, because I don't have them; regardless of whether I like you or hate you, I can't do anything to affect your policy that your medical records should be confidential. Your doctor can, though; and the fact that he is in a position to harm you is really what is meant (at a system level) when you say that you trust him. You may have a warm feeling about him, or you may just have to trust him because he is the only doctor on the island where you live; no matter, the DoD definition strips away these fuzzy, emotional aspects of `trust' (that can confuse people).

Remember during the late 1990s, as people debated government control over cryptography, Al Gore proposed a `Trusted Third Party' - a service that would keep a copy of your decryption key safe, just in case you (or the FBI, or the NSA) ever needed it. The name was derided as the sort of marketing exercise that saw the Russian colony of East Germany called a `Democratic Republic'. But it really does chime with DoD thinking. A Trusted Third Party is a third party that can break your security policy.

25. So a `Trusted Computer' is one that can break my security?

Now you've got it.

Re:Read the TCPA / Palladium FAQ

[vinsci]

So who is Ross Anderson? He is at Cambridge University, UK. From his homepage:

I lead the security group at the laboratory, where I hold a faculty post as Reader in Security Engineering.

I don't think Andersson is, as you suggest, biased against TCPA / Palladium and certainly not "heavily biased" (see Bill Arbaugh's comment below). His analysis does however point out very serious consequences of the TCPA / Palladium infrastructure. The consequences are what they are, Anderson just made a very good job in formulating them.

He is far from alone in his view on TCPA / Palladium. In fact, Bill Arbaugh, one of the inventors of TCPA (US patent 6,185,678 here), has second thoughts. His comment on Anderson begins:

We are all aware of the criticisms that the TCPA has received. Ross Anderson did a good job of explaining the problems in an abstract fashion, but I felt that there were some things left out (Privacy concerns).

By the way, trustedcomputing.org does not allow the general public to view the member list anymore. You can however see one list of 170+ member companies in Lucky Green's presentation below (links from http://www.cypherpunks.to/:

The slides from Lucky Green's DEFCON X talk, Trusted Computing Platform Alliance: The mother(board) of all Big Brothers, are now available in the following formats:

• PowerPoint (309k)
• PDF (511k)

Other resources with much information are:

• http://www.notcpa.org/
• http://cryptome.org/

Re:Read the TCPA / Palladium FAQ

[vinsci]

Oops, the links to Lucky Green's presentation were obviously wrong; here are the correct links:

The slides from Lucky Green's DEFCON X talk, Trusted Computing Platform Alliance: The mother(board) of all Big Brothers, are now available in the following formats:

• PowerPoint (309k)
• PDF (511k)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Congratulations, AMI

[DickBreath]

I trust my BIOS. It's called OpenFirmware, and it's been in every mac since the original iMac.

Open Firmware predates the iMac. OF was not an iMac innovation.

Open Firmware has been in Macs since about 1995. The first Mac PowerPC's model 6100, 7100, 8100 used NuBus ran Mac OS 7.1 and did not have Open Firmware. The next round of Macs did away with NuBus in favor of PCI and had Open Firmware -- in 1995. All subsequent Macs (many many models) have had Open Firmware, including the iMac.

TCPA != Palladium

[Chris+Colohan]

PLEASE go and read about both TCPA and Palladium before flaming them. They are NOT the same thing. Really.

Both TCPA and Palladium are ways of achieving "trusted computing", which is the ability for a program to run in an environment where the program knows (and can certify to people other than the computer's owner) that no other unwanted software is monitoring or modifying its actions. But how they are implemented is quite different.

TCPA uses a secure boot process. The BIOS verifies that the boot block is trusted; the boot block verifies that the os kernel is trusted; the kernel then verifies the trust level of specific applications; etc. This is what this BIOS implements. The main feature of TCPA (in my mind) is HARDWARE SIMPLICITY -- all that is needed is a small extension to the BIOS which modifies the boot process.

Palladium is from Microsoft, and it shows. Palladium is designed to start up in already running copy of pretty-much-unmodified Windows. Loading the Palladium subsystem (now known as a nexus) is supposed to be fairly easy, sort of like loading a device driver. But to get this ability they PAY with hardware complexity -- the CPU itself has to be changed so that the address space of the nexus can be partitioned, so it is not visible to or under the control of the main Windows kernel. This is one of many reasons why you don't see any Palladium enhanced systems in the real world yet -- Intel (or AMD) has not yet started selling a chip which supports what Microsoft needs to make Palladium work. A main design goal in Palladium seems to be "don't mess with Windows, we don't want to break legacy code".

I wrote AMI and this is their response

[LittleLebowskiUrbanA]

Thank you for taking time to contact us here at AMI. We are sorry to hear
of your decision to not seek out an AMI solution for your next purchase.
While we respect your right to make that decision we would like to take a
minute to underline some relevant points about our announcement that were
not adequately conveyed in the "article" posted on Slashdot. We urge you to
please give us a minute of your time to fully understand what AMI is
offering and thus be able to make a fully informed decision.

It must be noted that AMI has not announced support for Palladium. Palladium
is an initiative by an OS entity that is slated for the future. To be
honest, though we do know about it, AMI has not begun any development
related to it. At this point we have not made any decisions on support
either.

TCPA does not equal Palladium. While certainly there is some future
development overlap between the two, TCPA is being introduced by OEM's as a
security option to protect systems through hardware and firmware. This
feature is completely optional to our customers (OEM's, ODM's, CM's and
other system builders) that they may choose to make it available or not
depending on the needs of their market. We have had requests from a number
of customers for this technology.

Regarding the limitations of a system with TCPA I would offer the link below
to the public specification for further information on compatibility with
different OS's, and hardware. Based on that spec we can tell you that it
does not limit the ability to run Linux (or any other open source solution).

As a smaller company itself, AMI has always supported innovation and
creativity as these have been our main tools in competing against much
larger companies in our industry. We would not do anything that in our
minds would damage our credibility or reputation for world class BIOS
solutions and will carefully evaluate this type of feedback when it does
come time to examine any future technologies. We would also like to
recommend that anyone who is opposed to a Palladium-type solution in the
future, please make that known to OEM's and system builders. As they are
our customers, we definitely listen to them in terms of what they (and
hopefully their customers) will want in future BIOS.

Thank you again for your time in contacting us and we hope that this and
some of the links below will shed some light on AMI's plans.

LINKS

Original Articles on theinquirer.net

http://www.theinquirer.net/?article=7089
http:/ /www.theinquirer.net/?article=7103

AMI TCPA module Whitepaper
http://www.ami.com/support/doc/TCPA_wh itepaper.pdf

TCPA Website

Basically wrote them and told them I wouldn't be buying from them from now on. I would reckon this looks like the company is receiving a bit of angry emails from people who build their own computers and/or are involved in the computer industry.
Maybe they're worried about what WE think!? Nahhh...

Re:Not this time around...

[visualight]

And where did you find this out? Point me somewhere that says this? Read the documentation, dont jump to conclusions.

Okay, you should of followed your own advice. This is from an interview with John Manferdelli, general manager of the Windows business unit that is building Palladium.

PressPass: How will Palladium differ from digital rights management (DRM)?

Manferdelli: First off, Palladium will not require DRM, and DRM will not require Palladium. Palladium is a great complementary technology to the DRM solutions of tomorrow, but the two are separate technologies.

Also, after reading all of the official MS "documentation" you should read this reaction from the Register.

Not so fast

[vinsci]

At least two companies have started working on a TCPA-compliant version of GNU/Linux.

So, is there a problem? Yes, there is. You can't modify the kernel. If you try, it will not be trusted by the TCPA chip and so no application running on that kernel can gain access to any feature, media or application that requires TCPA. Certifying a Linux kernel (or any other OS) as TCPA-compliant is expensive and you would need to do it for every modification of the kernel. What value is the GPL if you can't use the source to create your own kernel?

Ross Anderson's TCPA / Palladium FAQ has a more detailed discussion (excerpt from section 18):

[TCPA hardware is referred to as the "Fritz chip" in the FAQ]

TCPA will undermine the General Public License (GPL), under which many free and open source software products are distributed. The GPL is designed to prevent the fruits of communal voluntary labour being hijacked by private companies for profit. Anyone can use and modify software distributed under this licence, but if you distribute a modified copy, you must make it available to the world, together with the source code so that other people can make subsequent modifications of their own.

At least two companies have started work on a TCPA-enhanced version of GNU/linux. This will involve tidying up the code and removing a number of features. To get a certificate from the TCPA corsortium, the sponsor will then have to submit the pruned code to an evaluation lab, together with a mass of documentation showing why various known attacks on the code don't work. (The evaluation is at level E3 - expensive enough to keep out the free software community, yet lax enough for most commercial software vendors to have a chance to get their lousy code through.) Although the modified program will be covered by the GPL, and the source code will be free to everyone, it will not make full use of the TCPA features unless you have a certificate for it that is specific to the Fritz chip on your own machine. That is what will cost you money (if not at first, then eventually).

You will still be free to make modifications to the modified code, but you won't be able to get a certificate that gets you into the TCPA system. Something similar happens with the linux supplied by Sony for the Playstation 2; the console's copy protection mechanisms prevent you from running an altered binary, and from using a number of the hardware features. Even if a philanthropist does a not-for-profit secure GNU/linux, the resulting product would not really be a GPL version of a TCPA operating system, but a proprietary operating system that the philanthropist could give away free. (There is still the question of who would pay for the user certificates.)

People believed that the GPL made it impossible for a company to come along and steal code that was the result of community effort. This helped make people willing to give up their spare time to write free software for the communal benefit. But TCPA changes that. Once the majority of PCs on the market are TCPA-enabled, the GPL won't work as intended. The benefit for Microsoft is not that this will destroy free software directly. The point is this: once people realise that even GPL'led software can be hijacked for commercial purposes, idealistic young programmers will be much less motivated to write free software.

Re:Not this time around...

[vrmlguy]

The stated purpose is to prevent malicious code executing in one part of a system from affecting malicious changes in another part.

You seem to be misunderstanding the meaning of the term "trusted system".

Maybe Gigabyte's Dual BIOS could fit here

[joeflies]

Gigabyte offers mobos that support two bios copies. It's there to provide BIOS failover (not that I've ever, ever had a problem with BIOS failing), but perhaps it could be adapted to allow dual-boot bios between Palladium and non-Palladium OSs. Tom's hardware explains Gigabyte Dual Bios