Mac OS X Intel Kernel Uses DRM

An anonymous reader submits "Several people have discovered that the new Intel kernel Apple has included with the Developer Kit DVD uses TCPA/TPM DRM. More specifically, it includes "a TCPA/Palladium implementation that uses a Infineon 1.1 chip which will prevent certain parts of the OS from working unless authorized."

Not in the kernel

[annodomini]

The headline states "Mac OS X Intel Kernel Uses DRM". According to TFA, it's Rosetta (the PPC emulator, which isn't written by Apple) that uses DRM, not the kernel of the OS itself: We've discovered that the Rosetta kernel uses TCPA/TPM DRM. Some parts of the GUI like ATSServer are still not native to x86 - meaning that Rosetta is required by the GUI, which in turn requires TPM. In fact, we already know that the kernel doesn't use DRM and can run on any Intel box you want, because it's open source and can be downloaded here. It's the GUI that Apple wants to be locking in to their hardware, not the kernel. I suspect that they probably will make something other than Rosetta check the TCPA chip, but that's not what is going on right now.

How is the TPM used?

[SiliconEntity]

I know a great deal about TPMs, I have a computer with a TPM. They are very common. Many high end laptops and desktops have TPMs. Here is an up to date list of systems that have TPMs. They include manufacturers such as HP, IBM, Acer, NEC, Dell, Gateway, Toshiba, Fujitsu, and Samsung. You've probably heard of some of them. It's easy to get a computer with a TPM. Probably in a few years it will be hard to get a computer without one.

What does a TPM do? Essentially it is just a crypto chip. It can hold keys, and sign and encrypt data with them. It's completely passive. It never takes control of your system or does anything invasive. It doesn't even monitor the bus or snoop on data flows. It merely hashes, signs and encrypts data, on request from the CPU.

How is it used for DRM? It can't be done today. They way it would be used, sometimes in the future, is to ship the chip with a unique key pre-installed in it, and with a certificate from the manufacturer on that key. Then the BIOS and OS get enhanced to do a "trusted boot" in which every software component gets its hash reported to the TPM. This allows the TPM to send out a crypto-signed "attestation" about the software configuration on the computer. It is signed by the built-in key, and that key is known to be a legitimate TPM key by virtue of the certificate that was created at manufacture time.

This lets a remote server verify that you're running a genuine version of Media Player or iTunes and not some hacked thing that will strip the DRM and put it out on the net. Your system can report its software configuration and that attestation can't be forged, because you don't control a TPM key that has a cert on it from a TPM manufacturer.

It's a complicated system, and no part of it exists today. Manufacturers don't ship TPMs with pre-installed keys, and they don't issue certificates. Nobody wants to touch that stuff with a ten foot poll. I know, I've tried to get a computer with a certified TPM for research purposes, but they're just not available.

How would Apple use a TPM to keep the OS from running on non-Apple PCs? This is the $64 question, but I haven't seen much information about it. If they just look for the presence of a TPM, that won't help much - see above for all the computers out there that have TPMs.

My guess is that it is more likely that the mechanism Apple will use or is using to keep from running on non-Apple hardware is not the TPM. They will probably use a custom chip. The TPM is extremely standard, the Trusted Computing Group has hundreds of pages documenting it. It would be crazy to twist that standard.

Rather, I'm guessing that Apple uses the TPM for crypto purposes, possibly with an eye towards eventual DRM if and when the necessary massive infrastructure ever gets built. Due to its unique position as designer of both the computer and the software, Apple might even be in a unique position with regard to rolling out some form of TPM based DRM, just as they were among the first to create a commercially successful DRM system in iTunes. My speculation is that Apple is not using the TPM to stop hackers porting its software, they're using the TPM because it's useful. It just happens that the hackers don't have many systems with TPMs.

If so, then, it is merely accidental that the use of the TPM is a road block for experimenters determined to run the Apple software on non Apple PCs. It's possible that if they looked at the list they would find some computers lying around that had TPMs in them, and if they tried on those computers, the TPM software would work fine. Maybe the OS would then run in its current form. It sounds like it's worth a try, anyway.

Re:Damn Microsoft!

[ShieldW0lf]

Except for the vast bulk of legitimate users it doesn't, because so few of them upgrade their computers at all, let alone enough to trigger any reactivation sequence.

Are you kidding? Legitimate users are the only ones it interferes with. Pirates just use Corporate Edition and don't deal with all that bullshit.

Hell, I know lots of people who own XP because it came with their computer, and they still wipe it and throw a copy of corporate on there because the product activation/windows update bullshit screws up their system from time to time.

Re:Damn Microsoft!

[identity0]

It looks like some people don't know a classic Slashdot joke when they see one.

Don't they teach you new whippersnappers anything these days? Or do I have to explain the origin of the "No wireless. Less capacity than a Nomad. Lame." and the "and then it was like, beep beep beep..." joke to you, as well? :)