AMI Introduces 'Trusted Computing' BIOS

An anonymous reader writes "American Megatrends announced its 'trusted computing' Palladium BIOS on Jan 6. It seems that the encrypted BIOS' integrity will be verified by a special chip or flash ROM, and will in turn verify the 'authenticity, integrity and privacy' of the boot loader and the operating system. Does that mean such machines may refuse to boot any other non-'trusted' OS? After all, the list of supporting corporations include AMD, Intel, IBM, and HP, of whom we heard quite favourable statements about Linux (just for example -- *BSDs will be equally affected) so far."

No it doesn't.

[Kickasso]

If it's true to spec, it will load anything. Just not in the trusted mode.

Comment removed

[account_deleted]

Comment removed based on user account deletion

It will enable you to get DRMed content.

[Kickasso]

That's it. A remote site can know whether or not you're running a trusted (IOW "unhackable") OS/apps. If you do, they'll send you decryption keys for playback and be reasonably sure you won't intercept them, store them permanently etc.

Trusted Computing

[evenprime]

Everyone on /. seems to be thinking about the potential for this to be used in DRM or religious wars about OS. Those are valid concerns. It is worth pointing out, though, that this BIOS has the potential to be used for less nefarious purposes; i.e. trusted hardware systems can be part of trusted platforms, which most security practitioners believe to be more secure. The idea of trusted hardware has been around at least as long as the Orange Book has existed. Specifically, it said:

No computer system can be considered truly secure if the basic hardware and software mechanisms that enforce the security policy are themselves subject to unauthorized modification or subversion.

Now, whether or not trusted systems actually are more secure is a different issue.

Re:What isnt stated

[harlows_monkeys]

What benefits? Best I can tell, trusted computing provides me, a consumer, no benefits over what exist today

How about better online games? Consider MMORPGs. To prevent cheating, they have to do various things server-side that would actually make more sense from a resource allocation point of view to do on the client.

For example, DAoC has to handle stealth on the server, calculating who should be able to see a stealthed character, and only sending that character's positions to clients that should see him, so that people with DAoC's equivalent of ShowEQ won't see them. However, those people can still see people who are hiding behind trees or hills or buildings--it would be too much work for the server to do the visibility calculations for everyone.

With a trusted client, they could just send the data on everyone in the area, and trust the client to not show what the player is not supposed to see.

Or how about monster AI? The monsters could be a lot smarter if they could run the AI on the client, instead of on the server.

Read the TCPA / Palladium FAQ

[vinsci]

Ross Andersson at the University of Cambridge has written an excellent introduction to TCPA / Palladium, which explains both sides of the story.

Read it here: http://www.cl.cam.ac.uk/%7Erja14/tcpa-faq.html

The two last sections are worth repeating here:

24. So why is this called `Trusted Computing'? I don't see why I should trust it at all!

It's almost an in-joke. In the US Department of Defense, a `trusted system or component' is defined as `one which can break the security policy'. This might seem counter-intuitive at first, but just stop to think about it. The mail guard or firewall that stands between a Secret and a Top Secret system can - if it fails - break the security policy that mail should only ever flow from Secret to Top Secret, but never in the other direction. It is therefore trusted to enforce the information flow policy.

Or take a civilian example: suppose you trust your doctor to keep your medical records private. This means that he has access to your records, so he could leak them to the press if he were careless or malicious. You don't trust me to keep your medical records, because I don't have them; regardless of whether I like you or hate you, I can't do anything to affect your policy that your medical records should be confidential. Your doctor can, though; and the fact that he is in a position to harm you is really what is meant (at a system level) when you say that you trust him. You may have a warm feeling about him, or you may just have to trust him because he is the only doctor on the island where you live; no matter, the DoD definition strips away these fuzzy, emotional aspects of `trust' (that can confuse people).

Remember during the late 1990s, as people debated government control over cryptography, Al Gore proposed a `Trusted Third Party' - a service that would keep a copy of your decryption key safe, just in case you (or the FBI, or the NSA) ever needed it. The name was derided as the sort of marketing exercise that saw the Russian colony of East Germany called a `Democratic Republic'. But it really does chime with DoD thinking. A Trusted Third Party is a third party that can break your security policy.

25. So a `Trusted Computer' is one that can break my security?

Now you've got it.

I wrote AMI and this is their response

[LittleLebowskiUrbanA]

Thank you for taking time to contact us here at AMI. We are sorry to hear
of your decision to not seek out an AMI solution for your next purchase.
While we respect your right to make that decision we would like to take a
minute to underline some relevant points about our announcement that were
not adequately conveyed in the "article" posted on Slashdot. We urge you to
please give us a minute of your time to fully understand what AMI is
offering and thus be able to make a fully informed decision.

It must be noted that AMI has not announced support for Palladium. Palladium
is an initiative by an OS entity that is slated for the future. To be
honest, though we do know about it, AMI has not begun any development
related to it. At this point we have not made any decisions on support
either.

TCPA does not equal Palladium. While certainly there is some future
development overlap between the two, TCPA is being introduced by OEM's as a
security option to protect systems through hardware and firmware. This
feature is completely optional to our customers (OEM's, ODM's, CM's and
other system builders) that they may choose to make it available or not
depending on the needs of their market. We have had requests from a number
of customers for this technology.

Regarding the limitations of a system with TCPA I would offer the link below
to the public specification for further information on compatibility with
different OS's, and hardware. Based on that spec we can tell you that it
does not limit the ability to run Linux (or any other open source solution).

As a smaller company itself, AMI has always supported innovation and
creativity as these have been our main tools in competing against much
larger companies in our industry. We would not do anything that in our
minds would damage our credibility or reputation for world class BIOS
solutions and will carefully evaluate this type of feedback when it does
come time to examine any future technologies. We would also like to
recommend that anyone who is opposed to a Palladium-type solution in the
future, please make that known to OEM's and system builders. As they are
our customers, we definitely listen to them in terms of what they (and
hopefully their customers) will want in future BIOS.

Thank you again for your time in contacting us and we hope that this and
some of the links below will shed some light on AMI's plans.

LINKS

Original Articles on theinquirer.net

http://www.theinquirer.net/?article=7089
http:/ /www.theinquirer.net/?article=7103

AMI TCPA module Whitepaper
http://www.ami.com/support/doc/TCPA_wh itepaper.pdf

TCPA Website

Basically wrote them and told them I wouldn't be buying from them from now on. I would reckon this looks like the company is receiving a bit of angry emails from people who build their own computers and/or are involved in the computer industry.
Maybe they're worried about what WE think!? Nahhh...