Slashdot Mirror
Mac OS X Intel Kernel Uses DRM
An anonymous reader submits "Several people have discovered that the new Intel kernel Apple has included with the Developer Kit DVD uses TCPA/TPM DRM. More specifically, it includes "a TCPA/Palladium implementation that uses a Infineon 1.1 chip which will prevent certain parts of the OS from working unless authorized."
I hate those bastards! I knew they were going to try and sneak this crap past us! They were plo...oh wait, did you say Apple?
Wow! Spectacular use of technology Steve! You're my hero!
I had thought that it was widely known that OS X won't run on anything not sold by Apple as a Mac.
i am a soviet space shuttle
The first person to crack this DRM implementation will win a free story about it on Slashdot!
I don't care if it's 90,000 hectares. That lake was not my doing.
More specifically, it includes "a TCPA/Palladium implementation that uses a Infineon 1.1 chip which will prevent certain parts of the OS from working unless authorized."
/. I need you! Tell me what to think!
Oh no, my two sources of zealotry are colliding. Eeek! It can't be evil if Apple does it, right... but DRM is always evil, right?
Alter OSX code at runtime. It only works on PPC at present, however.
I don't get it - Apple's hardware has always been close system as you can get from PC type computer. So of course they can be 'accidentaly' early addopters of Palladium. Don't like it? Choose another vendor.
user@ubuntubox:~$ stfu This server is going down for shutdown NOW!
Apparently Apple's DRM kernel extension only gets involved when Rosetta is executing code. In other words, if you're running native code, there's no checking. But apparently some critical parts of the kernel are still being executed by Rosetta. And reimplementing the `AppleTPMACPI.kext' in a completely harmless manner (such that it always returns a "Yes go ahead" signal) is an option. As is replacing it at runtime via mach_override.
These boxes aren't even for sale yet. I'm sure that it'll be cracked before that even happens.
iirc, intel's drm is based on a supopsedly "hacker proof" chip that has an rsa keypair in it.
everyone know how those uncrackable chips fared... well every time they tried to do something like this. it failed miserably.
i know what you'll say. "microsoft managed it with the xbox". which is bogus, microsoft's problem is the complete opposite as this one. microsoft is trying to prevent unsigned code from running on "their" hardware.
apple is trying to prevent their code from running on "unsigned" hardware. that implies the private key is in the paladium chip so it can "sign" a token sent by the OS. that's the worst case senario, and it will just take a few months to reverse engineer and distribute apple's private key along with pearpc (yes, you can read the key from that suposedly secure chip).
another possible implementation is that the chip just sends an "apple" id. maybe s string of text or something like that. that's even easier to circumvent.
don't be fooled by their marketing, pearpc will work just fine, albeit maybe illegally in the US (and canada soon). thanks to the DMCA
Seriously, what did anyone expect?
Apple does not want OS X installed on every generic PC out there. If Mac sales die tomorrow, Apple and OS X go with it. And no, they wouldn't open all the source after the liquidation and you would be stuck with Linux and Windows on the desktop. With both options being crap (for differing reasons).
I would absolutely love for OS X to be sold for any machine with an Intel or AMD chip inside, but it's just not going to happen because Apple is not positioned to do so and survive.
Fortunately, Apple has never even hinted at taking a route other than having OS X run on their machines and their machines only. Any disappointment should be tempered with the knowledge that they have had their cards on the table on this for some time. I don't think there was any question of another outcome.
Apple is not screwing anyone over, they are just continuing what they have done for the past 21 years (even the brief period of Mac clones only involved the OS running on approved hardware).
Perhaps things will change sometime down the road with Apple making further inroads into consumer electronics and successfully diversifying their business. I wouldn't hold my breath, though. The seamless integration between hardware and software is at the very core of the Mac experience.
It's unfortunate that OS X is going to stay on one set of hardware, but it is just the way it has to be for the time being.
The headline states "Mac OS X Intel Kernel Uses DRM". According to TFA, it's Rosetta (the PPC emulator, which isn't written by Apple) that uses DRM, not the kernel of the OS itself: We've discovered that the Rosetta kernel uses TCPA/TPM DRM. Some parts of the GUI like ATSServer are still not native to x86 - meaning that Rosetta is required by the GUI, which in turn requires TPM. In fact, we already know that the kernel doesn't use DRM and can run on any Intel box you want, because it's open source and can be downloaded here. It's the GUI that Apple wants to be locking in to their hardware, not the kernel. I suspect that they probably will make something other than Rosetta check the TCPA chip, but that's not what is going on right now.
If you analyzed the mach_kernel binary file on the Developer Kits, you would see that the kernel is vastly different than the Darwin 8.2 that Apple released as open source. For one thing, it automatically calls the oah750 daemon (better known as Rosetta) every time that it finds a non-universal PPC executable.
Before the kernel uses Rosetta to execute the PPC application (i.e. ATSServer in the case of starting a GUI), it calls the TPM kernel extension and checks the private keys in the TCPA chip. This is the only thing, as far as is apparent, that prevents Mac OS X from flawlessly running on a non-Apple system.
Oh do stop panicing, this will be cracked, and easily, if it has not already been done.
I am beginning to think companies put these copy protection things in the hardware for a variety of reasons:
1) They get free advertising with the protests.
2) They get free advertising when it is cracked.
3) They get free advertising when they chase the crackers.
4) They get free advertising when they chase the cracks' distributors.
And maybe it gives the content providers a warm fuzzy feeling.
threadeds blog
Everyone here has been waiting for OSX-x86 ISOs to hit torrent sites so they can run OSX on their whitebox PCs. As has been seen many times before, not every ADC member holds up their end of the bargain with regard to their NDA. Knowing this full well it was rather obvious Apple would have to take some sort of action to keep their OS from being widely pirated within days of the first dev kits being delivered.
There's a lot of hand waving here about companies removing people's rights and slippery slope arguments along the lines of "if they do X they will eventually do Y for reason Z". This entirely ignores the fact that Tiger-x86 is probably the hottest thing to hit torrent sites in a long time. It was bad enough when developer releases of Tiger for PowerPC were making the rounds and people were making stupid assessments of the system months before release. The development kits and pre-release copies of OSX are meant to be in Mac developer hands, not Joe Dork down the street on his PC.
It is not a particular right to run OSX on anything but a Mac, the OSX EULA that you have to agree to in order to install the system specifically states that. Apple locking OSX onto Macs means they can continue to sell the machines with a straight face. No one would bother to buy a Mac if they could just grab a copy of Tiger and slap it on their PC at home. Apple would have little incentive to continue Mac development if there were no Macs being sold.
I'm a loner Dottie, a Rebel.
I know a great deal about TPMs, I have a computer with a TPM. They are very common. Many high end laptops and desktops have TPMs. Here is an up to date list of systems that have TPMs. They include manufacturers such as HP, IBM, Acer, NEC, Dell, Gateway, Toshiba, Fujitsu, and Samsung. You've probably heard of some of them. It's easy to get a computer with a TPM. Probably in a few years it will be hard to get a computer without one.
What does a TPM do? Essentially it is just a crypto chip. It can hold keys, and sign and encrypt data with them. It's completely passive. It never takes control of your system or does anything invasive. It doesn't even monitor the bus or snoop on data flows. It merely hashes, signs and encrypts data, on request from the CPU.
How is it used for DRM? It can't be done today. They way it would be used, sometimes in the future, is to ship the chip with a unique key pre-installed in it, and with a certificate from the manufacturer on that key. Then the BIOS and OS get enhanced to do a "trusted boot" in which every software component gets its hash reported to the TPM. This allows the TPM to send out a crypto-signed "attestation" about the software configuration on the computer. It is signed by the built-in key, and that key is known to be a legitimate TPM key by virtue of the certificate that was created at manufacture time.
This lets a remote server verify that you're running a genuine version of Media Player or iTunes and not some hacked thing that will strip the DRM and put it out on the net. Your system can report its software configuration and that attestation can't be forged, because you don't control a TPM key that has a cert on it from a TPM manufacturer.
It's a complicated system, and no part of it exists today. Manufacturers don't ship TPMs with pre-installed keys, and they don't issue certificates. Nobody wants to touch that stuff with a ten foot poll. I know, I've tried to get a computer with a certified TPM for research purposes, but they're just not available.
How would Apple use a TPM to keep the OS from running on non-Apple PCs? This is the $64 question, but I haven't seen much information about it. If they just look for the presence of a TPM, that won't help much - see above for all the computers out there that have TPMs.
My guess is that it is more likely that the mechanism Apple will use or is using to keep from running on non-Apple hardware is not the TPM. They will probably use a custom chip. The TPM is extremely standard, the Trusted Computing Group has hundreds of pages documenting it. It would be crazy to twist that standard.
Rather, I'm guessing that Apple uses the TPM for crypto purposes, possibly with an eye towards eventual DRM if and when the necessary massive infrastructure ever gets built. Due to its unique position as designer of both the computer and the software, Apple might even be in a unique position with regard to rolling out some form of TPM based DRM, just as they were among the first to create a commercially successful DRM system in iTunes. My speculation is that Apple is not using the TPM to stop hackers porting its software, they're using the TPM because it's useful. It just happens that the hackers don't have many systems with TPMs.
If so, then, it is merely accidental that the use of the TPM is a road block for experimenters determined to run the Apple software on non Apple PCs. It's possible that if they looked at the list they would find some computers lying around that had TPMs in them, and if they tried on those computers, the TPM software would work fine. Maybe the OS would then run in its current form. It sounds like it's worth a try, anyway.
No big deal then. I'd expect them to port all the code to x86 by the time they release those things anyway, and other software vendors will surely follow soon.
That theory has been kicked around a little already and it seems to make sense on the surface but it ignores no less than three very important points.
1) Installed base. If Apple intends to promote a movie download service that only runs on Macintels, it's going to flop big time and worse than just flopping, it's going to really piss off people who bought PPC hardware in the past couple of years.
2) Transion time frame. Apple will begin the transition to Intel next year but it won't be selling Intel boxes exclusively until 2007. That means the announcement of a service that requires an Intel box would have to wait until then or risk killing hardware sales. Somebody else will be doing it before that.
3) iTMS model? Assuming they intend to follow the same model with their movie store, where selling movies is really just a way to move a different product (video iPod, set-top box, etc), they'll want to sell movies to Windows users as well as Mac users just as they do with music now. They'll also need to allow users to move their purchased movies to another device which may or may not contain the same DRM.
Anyway, they don't need hardware DRM to open a movie store. They have a perfectly good software based DRM for music so something similar should be enough to make the movie industry happy.
Section 8 - Powers of Congress
Yep - that would be the ability of the US Congress to control whether or not the copyrighters have a right to copyright. Note that it provides congress with a power, it does not provide the people with a right.
Importantly, it has the clause "to promote the Progress of Science and useful Arts" - once copyright is no longer filling that role, it should not be in place...
"Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
> This silly conspiracy theory is getting tiring. Why would Dell & HP
> prevent paying customers from running Linux or DOS or whatever the fuck
> they wanted to run? Both companies sell Linux and brag about how much
> money it makes them.
Simple. Same reason you can't buy a PC from Dell without an OS except for a couple of Optiplex lines they target at the corporate users who already have site licenses. And even for those they have to toss FreeDOS in the box to make Microsoft happy.
Now imagine a world where Microsoft requires a locked TCPA chip to boot a future version of Windows. Basically they will speak unto Dell thusly: "If you want to sell Windows you will stick this chip on each and every motherboard. And if you don't want to pay the whitebox chopshop price for licenses you will join our co-op marketing program which requires you stick this chip on ALL motherboards you sell. No exceptions. Hey bitch, you already give Intel the same 100% loyalty so now you serve TWO masters. Starting today you no longer sell Dells, you sell Windows Workstations with Intel Inside and if you don't like that I have the same contract manufacturers you job your actual work out to ready to make em for me direct and a bunch of Indians ready to roll on deploying an ecommerce site to sell them through."
Democrat delenda est
Now, imagine you hired somebody and you told him to do something, but now, instead of just doing it, he insists on getting permission from someone else before he will do what you tell him to do. This leaves someone else in complete power of whether or not you can get this guy to do what you hired him to do in the first place...
Its yet another layer ( possibly dozens of layers ) of additional negotiation that has to be played out before things can happen.
There are many businesses out there who are running on razor-thin profit margins as they try to remain economically competitive. Adding yet more layers of nonproductive negotiation will require cutting finances somewhere else, and often nothing is left but salary and benefits.
On top of that, DRM enables somebody else to control whether or not the infrastructure you already paid for and installed will be permitted to continue to function. Would you want a toilet which insisted on "phoning home" and getting permission to accept a load?
Believe it or not, there are many people out there which have a so-called "business" education that are completely unaware of the business risks of having somebody else at the switch which controls whether or not the business can function.
We are trying our damndest to protect their ass.
Its like trying to make sure your neighbors don't erect highly flammable houses in fireprone areas. Just as firemen know a fire in a neighborhood threatens all the houses, this DRM thing can easily get out of control and threaten all of us.
There are some of us who know there is no reason at all to pay someone else over and over and over again for work that's already been done. But we also realize using DRM to enforce that paradigm is quite doable, and there are a helluva lot of people out there which will jump at the chance to lure us all into this cat trap.
Me and a lot of other people here have been trapped before, and know what this kind of cat trap looks like and what it does.
Once that door slams shut behind you... err, well forget about a lot of stuff you used to take for granted.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
I still think the problems raised by DRM are greater and more severe than those it purports to fix. Obviously, fair use and doctrine of first sale are the first to disappear. But also, common carriage is at risk, and if DRM gets into routers and switches then it will be possible to make the Internet into the same mess the telecommunications network is in.
The nature of DRM and the clumsy attempts we have seen so far also indicate that there is great potential for human rights abuse, too. There is of course the ability to monitor who is interacting with whom, the DRM software has to track this to work. There is also the ability to block or censor communications. After all, restricting access or dissemination is what DRM is all about. And that directly affects both the right to free speech and the right to peaceably assemble -- after all what can be published or organized without the Internet or the Web these days, without them you're shut off.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Damn, talk about irony! The entire "free software" community has had its fists buried so deeply in its ears over this issue for years now it is doubtful we can make a meaningful recovery of the ground that has been lost.
You try to pretend TCPA and DRM can be killed at birth and you are wrong. You try tto pretend DRM cannot be made to work and you are wrong. The same technology that protects HOLLYWOODS data can protect YOUR dat and MY data. DRM will allow computing to move into a new paradigm where conversations can be reasonably assured of being completely ephemeral OR where "data" can be moved from point A to point B with the relative security and geographic displacement of a physical object. But people lie and copy and cheat and forge and so to do this requires a *trusted platform* - a system you and I can both agree has been verified for honesty by a disinterested third party to our exchange.
If you don't want to buy DRM media then don't buy it. But insisting someone is trying to "take your rights away" because they are asserting *their* rights is, at best, disengenuous.
The open source community at large needs to take off the tinfoil hats and start doing some real development on these platforms. Like it or not DRM is coming and if you sit out the party no one is going to listen to you complain that everyone else already got all the cake and ice cream.
If OS X had to run on a gazillion different combinations, that fact would be a major point it making it less reliable and less stable. BECAUSE THE OS IS SOLD TO RUN ON ONLY A FEW HARDWARE OPTIONS, IT"S EASIER TO WRITE AND TEST AND Q/A THE DAMN THING! That is part of the success of OS X and what makes it run so geat. Of course Apple wants the hardware sales, but controling the hardware is critical too. I would not want an OS X that could run on Compaqs to Dells to A Opens to your custom PC because then I wouldn't get uptimes of 90 days (rebooting only for security updates that touch the Kernel, etc).
LOOK AT SOLARIS. Ask anyone who needs a Solaris box to stay up for critical stuff (not FTP server, talking about critical stuff at the core of a company / government / hospital) and it will be on one on Sun's servers, it will NOT be Solaris for Intel. Big metal + Tested Metal = Solaris uptimes of years if need be. Small metal + Tested Metal = OS X I know and love.
I am a small employer. The reason we have pre-employment drug screens has absolutely nothing to do with me or my company's opinion of them.
Our insurance rates are cheaper if we do them.
It is a VERY simple cost/benefit anaylysis. We save money by requiring drug tests. Not in productivity or anything like that. Just our insurance rates.
I suspect we are not the only ones who are faced with this choice.
How did you explain their side of the argument?
Let's assume (perhaps falsely) that the RIAA/MPAA aren't literally Satan's spawn. They have a good reason for wanting DRM: they spend a lot of money to make music/movies. They'd like to get paid for that, and the current environment makes it easy for people to get the full benefit of their work without paying for it.
You know all this, so I'm not going to explain any further, but the question is, did you explain this to your friend? It's easy to get people angry when you explain only one side of the story. And if you want to use him as an example you have to be extra-careful to present their side as persuasively as possible, because you're obviously coming to this with a bias.
Look, I agree that the DRM they want to use is too restrictive. But the absolutely-no-DRM environment is also not completely fair to them. So the attitude of simply getting angry at them for proposing an alternative is just wrong. The proper attitude is closer to, "Gee, neither situation is tenable, let's figure out what's genuinely fair."