IBM On Trusted Computing, Linux

← Back to Stories (view on slashdot.org)

IBM On Trusted Computing, Linux

Posted by timothy on Monday May 19, 2003 @10:35AM from the trust-us-it's-linux dept.

An anonymous reader writes "A number of IBM's computers have been available with an "embedded security subsystem (ESS)" for some time now. This site lists three research papers regarding the new TCPA (Trusted Computing Platform Initiative) security chip developed by IBM, including the full GPL-ed source code to a Linux driver for this chip. In particular, the 'Why TCPA?' paper claims that IBM's TCPA chip is in fact of extremely limited use for DRM, as it contains no tamper resistance; the chip is designed to fend off software attacks, not physical attacks. An interesting take from a company with very solid products."

36 comments

Min score:

Reason:

Sort:

DRM == no sale. by Anonymous Coward · 2003-05-19 10:53 · Score: 1, Interesting

It's that simple.
~~~
1. Re:DRM == no sale. by ciaran_o_riordan · 2003-05-19 11:00 · Score: 4, Insightful
  
  Unfortunately, It's not that simple.
  
  There are two possibilities:
  
  M$ software will only run on Trusted Computers.
  RIAA music will only play on Trusted Computers.
  MPAA(?) movies will only play on Trusted Computers.
  M$ & Friends will pressure other software companies to require Trusted Computers, under the name of Security or Reliability or Legal-clarity.
  
  Option two is that non-Trusted computers could be made illegal, there is a draft of a proposal to make this law in USA. Will it happen? The RIAA, M$, and MPAA will claim it's necessary to prevent the growing "piracy" trend.
  
  If you do have the option of buying a general computer, you may find it's not much use. And if you put up with that, don't expect Joe Public to stand with you in solidarity, he'll be too busy bopping away to his new "enhanced" Hooty and the Blowfish CD.
  
  Ciaran O'Riordan
  
  --
  Expert in software patents or patent law? Contribute to the ESP wiki!
2. Re:DRM == no sale. by Anonymous Coward · 2003-05-19 11:05 · Score: 2, Funny
  
  RIAA music will only play on Trusted Computers.
  MPAA(?) movies will only play on Trusted Computers.
  You forgot "the first time" at the end of each of those sentences :).
3. Re:DRM == no sale. by brianjcain · 2003-05-19 11:07 · Score: 5, Interesting
  
  Apparently not...(Did you RTFA?) I had always been against TCPA, but here's an excerpt:
  What TCPA is Not Some of the papers critical of TCPA claim that TCPA is primarily intended to support Digital Rights Management (DRM), such as the copy protection of music or video data, on behalf of the content owners. They argue that TCPA would take away user rights on their own machines, preventing backup, time and space shifting of legally purchased content. Debating the merits of DRM is a complex, controversial topic, and won't be covered here. ... (Personally, I do not believe it is possible do provide effective copy protection at all, but that's another paper).
  
  The TCPA chip is not particularly suited to DRM. ...
  If you ask me, I would think Linux, et al could leverage whatever benefit provided by well-documented TCPA chips (if any), and ignore the others. You probably already didn't like Microsoft's software anyways, so why waste time worrying how they'll utilize TCPA?
  
  (Now gov't mandating of TCPA hw/sw is some seriously dangerous shit. Let's keep way away from there).
4. Re:DRM == no sale. by Loosewire · 2003-05-19 11:10 · Score: 2, Insightful
  
  i HATE what you just said...
  beacuse i know its true
  how many people do we all know who rushed to get windows media player 9. True example 1 "But tim - it gives them the right to delete all your Mp3's"
  "Yeah but they wouldnt do that would they - and anyway it has new flashy effects".
  True example 2 "But sam it is full of DRM and adds DRM to all your ripped tracks" -
  "Yeah but you can switch it off - look there's an option"
  "And if you beleive that then bill gates is my drinking buddy"
  
  --
  Slashdot - The one stop shop for procrastination
5. Re:DRM == no sale. by curious.corn · 2003-05-19 12:20 · Score: 1
  
  Oh well, Palladium is just nukes in one superpower's hand. Spreading the 'nukes' across different platforms will enforce a balance of power stalling unilateral strikes. I can only see trouble in the divide between different abilities provided by CA signed keys: cheap or free consumer keys Vs. developer keys (like domain wide SSL keys versus single host keys). This technology will become part of the platforms, we'd better start concentrating on the social model implememted in this technology rather that complain about it's conception.
  
  --
  Mi domando chi Ã il mandante di tutte le cazzate che faccio - Altan
6. Re:DRM == no sale. by doodleboy · 2003-05-23 06:46 · Score: 1
  
  There are two possibilities:
  
  M$ software will only run on Trusted Computers.
  RIAA music will only play on Trusted Computers.
  MPAA(?) movies will only play on Trusted Computers.
  M$ & Friends will pressure other software companies to require Trusted Computers, under the name of Security or Reliability or Legal-clarity.
  Security for whom? Security for MS, which will have yet another way to lock competitors out of the marketplace. Security for Disney et al., who will have a level of control over digital media undreamed of even a few years ago. And security for the various three letter agencies, which presumably will have full access to all of these Trusted Computers.
  Option two is that non-Trusted computers could be made illegal, there is a draft of a proposal to make this law in USA. Will it happen? The RIAA, M$, and MPAA will claim it's necessary to prevent the growing "piracy" trend.
  Count on it.
trusted computing.. by Tumbleweed · 2003-05-19 11:08 · Score: 2, Funny

"Trust the computer. The computer is your friend."
- bumpersticker seen on car in Microsoft parking lot :)
1. Re:trusted computing.. by Miguel+de+Icaza · 2003-05-19 15:03 · Score: 0
  
  holy shit! i think you might of seen my car (its a bright red volvo) and i've been attending lots of strategy meetings at Redmond recently
  
  BTW my other bumper sticker says "hey hey I'm a monkey"
  
  love, peace, hope, dock
  miguel
  
  --
  Before adopting WHATWG, read the moonlight.NET EULA [http://www.microsoft.com/interop/msnovellcollab/moonlight.mspx]
2. Re:trusted computing.. by Tumbleweed · 2003-05-19 15:34 · Score: 1
  
  Hey Miguel,
  
  Nope, this was a few years ago, certainly not lately.
  
  Hey, how come you have such a high Slashdot ID? I woulda figured you'd have an older account...
3. Re:trusted computing.. by Miguel+de+Icaza · 2003-05-19 15:50 · Score: 0
  
  the high ID would be on account of me being a troll :^)
  
  --
  Before adopting WHATWG, read the moonlight.NET EULA [http://www.microsoft.com/interop/msnovellcollab/moonlight.mspx]
4. Re:trusted computing.. by Anonymous Coward · 2003-05-19 16:24 · Score: 0
  
  the following are called *clues* :
  
  "holy shit!"
  "bright red volvo"
  "strategy meetings at Redmond"
  "hey hey I'm a monkey"
  "love, peace, hope, dock"
  "all your desktops are belong to me now"
  
  please get one
5. Re:trusted computing.. by Anonymous Coward · 2003-05-21 04:36 · Score: 0
  
  Actually, that line is taken from the 1984-esque RPG "Paranoia".
Absolutely Terrific Articles by stanwirth · 2003-05-19 11:09 · Score: 3, Interesting

These are absolutely terrific articles. Their distribution of an open source TCPA linux module satisfies a lot of concerns and questions many of us had about TCPA in a concrete and specific manner.

One concern still exists: that DRM and Palladium will be used to create a "mainstream" set of M$ applications which give people the illusion of security, while concentrating most of the information and control in the hands of the few.
The most important step people in the open source community can take next are to get a system with a TCPA chip and start developing drivers, firewall systems, proxies and applications that make good solid use of the technology: tsshd, tsquid, tsftp, thttpsd, tbsd, toggd, tnamed, texim, tkonq...
1. Re:Absolutely Terrific Articles by Gerry+Gleason · 2003-05-19 11:39 · Score: 3, Interesting
  
  The most interesting part is that TCPA isn't designed for DRM, but isn't that what Palladium is based on? Of course, the DMCA makes it illegal to snoop your own machine ... So it will be easy enough to break any DRM keys and encryption, but it will be against the law. Hmmm, I wonder what people will do, I'll just keep using Linux.
  And yes, it will be important to use the TCPA hardware as intended to help with client security. Open/Free Source implementations of secure tools and protocols might even support profitable services based on quality reference implementations.
2. Re:Absolutely Terrific Articles by OeLeWaPpErKe · 2003-05-20 00:58 · Score: 3, Insightful
  
  Which concerns would that be ?
  
  -> not being able to see what an application is doing
  -> not being able to access an application's datafiles
  -> not being able to see what information is sent out over the internet
  
  It doesn't eliminate any of these of course.
3. Re:Absolutely Terrific Articles by stanwirth · 2003-05-20 07:16 · Score: 1
  
  Yup. That's why you're going to RTFS of the TCPA module provided, and then write your own applications.
In other words... by Eneff · 2003-05-19 11:29 · Score: 3, Informative

Ignore any threat of the local attack, the remote attack is the important one.

Watch out with that line of thinking... The ideal system has reasonable internal security as well. If a disgruntled employee can get access to these public/private key pairs, you're worse off than before, because you still maintain the illusion of security.
Seems reasonable... by curious.corn · 2003-05-19 12:05 · Score: 3, Insightful

... let's just, for a moment, cast aside paranoid suspicion (and I'm a paranoid & suspicious chap!). IFF these papers are correct TCPA is an encrypted storage location with some extra logic. In this location the user can store ~/.ssh/*.key and make shure the application interacting with the logic isn't sniffing the un-encrypted stream to some remote location. This NEEDS to be embedded in the BIOS to prevent kernel backdooring and simply embeds chain of trust throughout the hardware. I'd like to see this chip bussed to a smartcard to authenticate private root keys to a hashed ssh-agent binary (whether roaming on different PCs or on my own WS...)
I'm also shure that MediaPlayer 10 will be DRMd to the marrow but take note that in the past ridiculously encumbered online music services went titsup in no time while more reasonable services (Apple) seem to strke a balance.
In the past ID tracking such as the PentiumIII ID were dealt with properly so I don't think abuses would be tolerated. People always enjoys the empowering thought of having the option to take a free ride and imposing a "police" computer would vastly outrage the consumer base.
So long as the control on the hadware keys is left to the users I agree with this particular spin from IBM; it's just a secure smartcard system.
It still CAN be extended to require encryption and trust all the way to the DVI interface but that I think would require a heck of a business infrastructure to implement, maintain and persuasion effort.
And given IBM's perspective there's no interest in the user base to proceed in further HW lockdown... all WE would do is to sign on OUR terms a kernel build and that's it; once that's in place, the chip will process OUR keys in OUR best interest... and if some pigopolist wants force something down our throat their business model will fail (as it has repeatedly done).
I'd go for it, just for the sake of my ssh/gpg keyring, and in the future credit card numbers... do you trust an ecommerce site asking to handle it for you?)

--
Mi domando chi Ã il mandante di tutte le cazzate che faccio - Altan
1. Re:Seems reasonable... by xchino · 2003-05-20 05:31 · Score: 1
  
  do YOU really need to CAPITALIZE every other WORD?
  
  --
  Everyone is entitled to their own opinion. It's just that yours is stupid.
2. Re:Seems reasonable... by curious.corn · 2003-05-20 06:54 · Score: 1
  
  capitalization isn't bad per se. It becomes so when it's all caps. I did use capitalization for acronyms and emphasis. Do you wish me to write "I" in lower case? I did use some terms in CAPS to stress the polemic tone of the phrase they belong to; whining for capitaliation sounds very 'leet and '90s usenet guru, newbs are usually impressed, I am not.
  
  --
  Mi domando chi Ã il mandante di tutte le cazzate che faccio - Altan
3. Re:Seems reasonable... by xchino · 2003-05-20 07:17 · Score: 1
  
  If you need to emphasize something HTMLis much more useful. Do you SHOUT in mid-sentence when you are normally speaking?
  
  --
  Everyone is entitled to their own opinion. It's just that yours is stupid.
4. Re:Seems reasonable... by curious.corn · 2003-05-20 12:37 · Score: 1
  
  all caps is an nntp pet peeve and you (notice the lo caps... I'm not flaming you ;-) are asking me to go html? Huh?
  
  --
  Mi domando chi Ã il mandante di tutte le cazzate che faccio - Altan
Like cable modems... by zbowling · 2003-05-19 12:29 · Score: 2, Informative

There ability to be attach locally is like cable modems firmware chips. Descused on CableModemHack.com (A website of tools to uncap your cable modem), an effort to replace the firmware locally is underway for a lot of models of cable modems. It seems that cable modems are wonderful against software attacks, but very open to hardware attacks.

Hardware attacks, I guess, are not a common senerio that hardware designers really think much about.

--
No.
1. Re:Like cable modems... by Anonymous Coward · 2003-05-21 08:17 · Score: 0
  
  nice dead link, idiot
The big question by spitzak · 2003-05-19 15:25 · Score: 4, Interesting

The paper seems to skip around the huge unanswered question:
Is there a private key that third parties know that it is impossible for the owner of the computer to know?

The paper makes it sound like all key pairs are either randomly generated or that the chip can be fed a public key. However it is a bit vague, and I suspect the answer is that there are also non-random pairs in there, where third parties know the private key but you don't. They skirt around this by saying "Bios startup is quite complex" but I think the real answer is that there unless hashes have matched up to a point these secret public keys are inaccessible.

This system is absolutely useless for security as all exploits actually cause supposedly correct programs to follow the wrong instructions. This is like claiming current systems are secure because you cannot change the microcode and invent new machine instructions. It's purpose is so that it is impossible to get any kind of modified or different operating system in there, and still be able to run DRM programs, which could decode information using the secret key.

The fact that IBM and everybody else has refused to answer this question (I think the answer here was skirted around with some bullshit about the "BIOS startup being quite complex") makes me think they are lying.

The fact that having a high-speed encryption chip is quite useful is being used to hide the real purpose. Do you really think the same people who think Winmodems are a good idea are that interested in adding hardware just to speed up a function that can be done in software?

They also make a point about the random key generation, which is interesting, because it keeps the private key completely in the hardware where no program can see it and thus be fooled to reveal it. However I am curious if this is actually a defense against any real exploits. I have not heard of exploits that involve revealing the private key of a previously-negotiated pair, most involve fooling the system into doing something unwanted through an already opened and legitimate channel, or fooling it into using another public key that the attacker already knows the private one for. Can any experts find any real exploits where a temporary and untransmitted private key was revealed? If not then I would also suspect this is a smoke-screen, attempting to turn the fact that the chip has secret keys into a benefit. I would also think that 99% of the benifit, if any, could be achieved by loading the chip with a random pair and then making sure the program has eradicated all knowledge of the pair. There have been expoits in weak random number generators, and in this case the random number generator is in hardware and no longer easily fixed.

and even the fact that you can generate key pairs
1. Re:The big question by jareds · 2003-05-19 16:39 · Score: 4, Interesting
  
  The paper seems to skip around the huge unanswered question: Is there a private key that third parties know that it is impossible for the owner of the computer to know?
  
  The second paper on the page answers that question in the affirmative (sort of). The private part of the endorsement key is stored on the chip, the manufacturer may record the public part. The paper states that IBM does not currently and has never recorded endorsement keys. (Note that technically the answer to your question is "no": there would be a private key that the user does not know, but no third party would know it either. You misunderstand public key cryptography. However, your general point is well-taken, because the endorsement key could be used to implement DRM, subject to the obvious caveat the author brings up, that it would be vulnerable to local hardware attacks.)
2. Re:The big question by Wesley+Felter · 2003-05-21 07:54 · Score: 1
  
  Is there a private key that third parties know that it is impossible for the owner of the computer to know?
  
  My interpretation of the paper is that there are no keys at all in the TPM as shipped from the factory. Of course, this could change at any time.
YOU HAVE BEEN TROLLED by Anonymous Coward · 2003-05-19 16:19 · Score: 0

And You Lost
Nope by DreadSpoon · 2003-05-20 03:27 · Score: 3, Informative

I think there is a communication problem here. The article used "remote" to mean not-in-hardware; i.e., all software. It didn't mean just over the network.

An employee can get to the keys, but only by hacking the hardware. A possibility (as clearly explained in the articles), but not likely. It's also questionable when getting these keys would _do_; they only seem useful for the single machine itself. And I'd presume a good admin would clear/reset any keys if the machine is transfered to another employee.
I do not care what anyone says, by pair-a-noyd · 2003-05-20 06:03 · Score: 2, Funny

I will NOT use any system that involves FORCED TCPA, DRM, Fritz or any implementation of M$ code, embeded OS, hidden serial numbers, or any other Big Brother features.

You people can use all that stuff you like, I will not.
And when they finally force people to use it, in that you can not connect to other systems that DO use it unless you too use it, then that's when I become a total luddite and will just go live in the woods and live off the land...

This whole thing stinks and no one can convince me otherwise...
1. Re:I do not care what anyone says, by Anonymous Coward · 2003-05-20 08:03 · Score: 0
  
  Damn man, make up your mind.
  
  Are you gonna leave the country like you mention in your post in the YRO: The Searchable Life thread or are you gonna go live in the woods? Maybe you are gonna go live in the woods in another country? Is that the plan?
  
  I'd say go with the Luddite plan now. Yeah that's the ticket. Only you might want to make it a cave instead of the woods since the spy satellites can scry you when you run around in the woods.
  
  But if you decide to do the woods instead of a cave you might wanna check if Luddites can use tinfoil. Why not do a quick Ask Slashdot before you commit to the Luddite in the woods thing. Be a damn shame to become a Luddite and find you have to give up your protection against mind-control rays. Of course if you find a deep cave the soil and rock should stop all the rays.
Trusted Computing is... by DGolden · 2003-05-20 08:58 · Score: 1

When I have my own chip fab.

--
Choice of masters is not freedom.
Not much of a driver by Wesley+Felter · 2003-05-21 07:46 · Score: 1

I downloaded this driver when it first came out (even though I don't have the hardware) and it looks like it only has low-level hardware communication code in it. To make it at all useful, you'll need a library that marshals and unmarshals commands to the chip, and I haven't seen such a library anywhere.
Is it possible to intercept? by dancoit · 2003-05-21 09:34 · Score: 1

Excuse my ignorance, but would it not be possible to write a low-level program to intercept calls to a chip like this and reply to such calls with whatever answers you would like? I'm not a programmer nor software engineer but it seems to me that software calls to a hardware address could be redirected to a routine preloaded into RAM automatically and since the hardware address would be "hard-coded" it would be trivial to spoof the replying address if that were needed. If such is the case, all we would need is a software solution to overcome the "trusted computer" hardware handcuffs. Or no?
"TCPA not for DRM" reasoning wrong by gfim · 2003-05-26 13:38 · Score: 1

In the "No Need for TCPA" paper, the author argues that TCPA isn't practical for DRM because:

How could content providers recognize which reported PCR values were good, given the myriad platforms, operating system versions, and frequent software patches?

This misses the point that the content providers don't need to check all those platforms/OSs/patches. They just need to check that all these components contain a signature from an "approved" authority. Without all required signatures, the user doesn't see/hear anything. The part about tampering with the hardware is relevant, however.

Graham

--
Graham