Slashdot Mirror

← Back to Stories (view on slashdot.org)

IBM Trials TCPA Chip Under Linux

Posted by michael on from the trial-by-fire dept.

keihin writes "From IBM: IBM's Global Security Analysis Lab (GSAL) has done extensive analysis of the Trusted Computing Platform Alliance (TCPA) chip available on some IBM systems. We have the chip running under Linux, and have studied it extensively. In order to clarify a lot of misunderstanding about the chip, we are making available some helpful white papers and open source device drivers for Linux, so that interested people can test and use the chip in an open environment."

6 of 392 comments (clear)

  1. Why I didn't know IBM was involved by Amsterdam+Vallon · · Score: 4, Informative

    Apparently, the TCPA folks keep the list of companies involved private which is why I had never really heard of anyone aside from IBM involved in this alliance.

    However, there's a full list here.

    Check out *nix.org , a dynamic, informative, and fun portal for fans of BSD, Linux, OS X, & Solaris!

    --

    Reply or e-mail; don't vaguely moderate. Ex-O'Reilly/MIT employee, now a full-time Google employee.
  2. This is NOT about digital rights management by metamathica · · Score: 5, Informative

    Before people get too confused and start to complain (quite reasonably) about the RIAA, MPAA, etc: this chip is not designed to facilitate DRM. In their "why TCPA" article, they explain why it's not even particularly well suited for such systems.

    Rather, it's primarily about protecting a user's private keys and facilitating (through hardware acceleration) a serious increase in the use of encryption to promote security and privacy.

    1. Re:This is NOT about digital rights management by curious.corn · · Score: 5, Informative

      A HW accelerated encryption engine would give us snappy remote xsessions out of the box with ssh->ssl->kernel hw calls. I'd love this, imagine running fwbuilder on your remote fw from home. It's a must for teleworking.

      --
      Mi domando chi à il mandante di tutte le cazzate che faccio - Altan
  3. Quick notes for spastic no-read replies: by moogla · · Score: 5, Informative

    1) IBM doesn't care about DRM. In fact, this chip is completely unsuitable for DRM (and the white paper author was kind enough to explain why... protects you from SOFTWARE attacks, not hardware.)

    2) The specs are open. There is a gratis GPLd demonstration driver/API for linux.

    3) (My impression) is that it helps solve certain security chicken and egg problemswhen you want to do things like mount an encrypted hard disk, but not want to store the decryption key in memory.

    4) Primary advertised use: for signing and verifying your OWN code, i.e. to protect yourself from root kits.

    --
    Black holes are where the Matrix raised SIGFPE
  4. Re:Great news by sfe_software · · Score: 4, Informative

    Good to see??? umm... I hope your joking, cause otherwise, you have NO FUCKING CLUE WHAT YOU'RE TALKING ABOUT!!!

    I'm honestly not sure what you mean here, but from your .sig link to notcpa.org, I guess you're not a supporter of the TCPA.

    So tell me -- did you read the whitepapers mentioned in the article? Or are you simply going by the FUD presented at notcpa.org?

    Seriously, whether you are for or against the TCPA, read the white-papers IBM put together. Note that it has nothing to do with DRM or Palladium, and the author of one of the papers says "DRM is stupid, but that's another paper".

    Or go read the specifications yourself.

    In short:

    1) The TCPA is NOT Palladium
    2) It does NOT protect against physical tampering (thus not being well suited for DRM usage)
    3) It doesn't use any cert authority or "code signing" or anything like that. This again is not Palladium, and this is not the XBox.

    It really is about helping to protect you against crackers or viruses/worms from obtaining your private keys (be it SSH, SSL, PGP, or whatever future application comes up).

    And IMO it is good to see IBM on-board. They've already written GPL drivers for Linux, and are showing massive support from the very beginning -- something you rarely see with *any* new specification or proposed standards. Any Linux user should be glad IBM is on-board as well.

    --
    NGWave - Fast Sound Editor for Windows
  5. Re:You dont make sense by jbolden · · Score: 4, Informative

    In fact, I'm hard pressed to come up with a way that this chip could be used to do DRM under Linux. Can you?

    Yes you would do it exactly the same way you do it under windows.

    Sony has a nub (say a version of the Linux kernel) which they trust. You can download these kernels from Sony and full compliance with the GPL Sony release full source. Any change to the kernel changes the signature of the nub and thus makes it untrusted by Sony. So in other words Sony can now sign off on your OS kernel.

    Because of the TCPA public key they can also lock stuff to your machine. And they can combine these, that is they can give you content which can only be used on your machine running and only when running particular kernel.

    But they can go even further than this. The kernel supports trust and they can release a media player which will ask the kernel if the application is running inside a virtual environment or directly against the trusted kernel. Since the kernel supports trust it tells the truth, since the you can't change the kernel without changing the signature on the nub you can't make a kernel that lies.

    That's DRM.
    And everything I've mentioned can be 100% open source GPL and it will work exactly the same.