Should We Be Afraid of TPM Chips?

AcidArrow asks: "I was looking to buy a new laptop and since I wanted to be on the bleeding edge, I thought one with the new core duo chips would be just what I need. Among the features on the laptops I was looking was 'Trusted Platform Module chip for the safety of your data'. Now, I don't know of any real uses for a TPM chip yet, but is this something that should worry me, or keep me from buying a laptop with said 'feature'? I don't intend to use it and I would like to disable it, if possible, but I don't want to make it easier for anyone to track down what I'm doing on my laptop."

People are so afraid....

[hubs99]

It seems slashdotters are so afraid of these chips they won't even comment on them.

Re:People are so afraid....

[MarkGriz]

"It seems slashdotters are so afraid of these chips they won't even comment on them."

Maybe they tried but the TPM chips in their computer blocked them.
I'm glad I don't hav#&DFGsj3lwkj.s9)
NO CARRIER

Uses

[TheRealMindChild]

TPM in itself isn't bad. It is when it is grossly abused is the concern.

I would imagine if you want to use future version of windows (and/or media player), this chip will be necessary. I can only speculate that it aids in the decryption of copywrited content

Re:Uses

How is it NOT bad when your personal computer, to which you entrust essentially all your documents, can hide software and data from you?

It is Big Brother Inside. Invisible, omnipresent, and with an enhanced ability to hide backdoors that will even grab your encrypted communications when they go in the clear inside your PCs.

But, hey, you are probably a law-abiding person and should have nothing to hide.

Re:Uses

[Trelane]

How is it NOT bad when your personal computer, to which you entrust essentially all your documents, can hide software and data from you?

The chip does nothing of this. The chip itself only encrypts and decrypts. The rest of the nightmare scenario requires a Treacherous Computing operating system and/or application software to do this.

Notably, a TPM has a great many advantages (provided you trust the vendor anyway)--but only when implemented on a trustable OS and application. For instance, you can use it to trusted bootstrap (using a previously signed Linux kernel (basically saying you or someone you trust created the kernel)) to avoid boot-time rootkits, and then once you've loaded a trusted kernel, it will help the kernel to check for trusted (signed) modules. It can also check that the ps you're running isn't trojaned (i.e. installed by someone who didn't have the key).

In short, go TPM, but boot Linux (or BSD, or whatever you can trust). The critical difference between Big Brother and Best Friend is whether you or someone else is doing (or able to do) the signing.

Re:Uses

The chip does nothing of this. The chip itself only encrypts and decrypts. The rest of the nightmare scenario requires a Treacherous Computing operating system and/or application software to do this.

Oh bullshit. The Werner Von Braun defence. "I only make the rockets go up. Others decide where they land." As things stand at the moment, Trusted Computing hardware has only one use: to remove the control of the computer from its owner. The EFF has a proposal to mitigate the risks and keep the benefits... and yet the TCG will not even consider it. The reason why not should be obvious. As it stands, the TPM is not about security it is about control and there is not one single reason to trust any of the companies behind this.

Re:Uses

[Trelane]

but also the very real (and currently being implemented by Microsoft) threat of massive privacy abuse, survellence and near-total control it allows, instead of just spouting meaningless "It's not evil. It's just hardware" platitudes then, perhaps things will improve.

That's basically what I said, save for the gross misrepresentation, namely "just spouting meaningless 'It's not evil. It's just hardware' platitudes"

Your (apparently) blind hatred for all things TPM seems to have skipped the "currently being implemented by Microsoft" detail of the "threat of massive privacy abuse, survellence and near-total control it allows". You seem to acknowledge the fact that it requires additional OS and/or app support for the abuses part while totally ignoring this same fact anywhere else!

If you don't have access to the keys, then this is not about security" -- Alan Cox.

Quite true, but you have the keys, with the notable exception of the TPM's itself. Theoretically it never leaves the chip and isn't recorded anywhere, but again why I said you had to trust the chip vendor too....

The only additional piece of the puzzle we're missing is the BIOS bootloader verification. Here is likely one of your objections, particularly the keys objection. Never buy a TPM-enabled computer if you cannot sign your own bootloader, for what are likely (to us at least) obvious reasons.

Now why am I having a fight with an AC? Post from a real account or else thread over.

Re:Uses

[Sique]

There are issues with TPM vs. free software you didn't address. What if the kernel you want to boot doesn't have a signature the TPM module recognizes? If you or some friend or colleague of you modify a kernel, then its signature changes (that's the whole point of signed binaries). So what if you TPM module just refuses to boot from a signature it doesn't know?

What if the device is something like a digital video recorder or a wireless router, which in theory runs under Linux or other GPLed software, and you should be able to change the code according to your wishes, but because you don't have a key the TPM module trusts, you can't sign your changes, and the TPM module tells the BIOS not to boot your binary? It might be not with the general purpose computer for now, but on specialized hardware it's pretty possible. The hardware vendor will just tell you that he has to sign all changes, and what use is the GPL for the software to you, if you can't run your modifications without the vendor's agreement? You are back to square 1, this time not fiddling with copyright, but with the TPM module, and no clever licensing gets you out of the trouble.

So what about running for example other software than Mac OS X on new Apple-Intel hardware, if the BIOS just wants Apple's signature on the kernel binary? As the previous poster already said: If you don't have the keys to your computer, you are not in control of your computer. It doesn't need the malice of the OS designer, it can be already be in the BIOS.

Customize?

[DarkNemesis618]

Is it possible to get a model of said laptop without a TPM chip? It should be. If you go to Dell and buy a laptop, you're for the most part, able to customize nearly everything to suit your needs. Would the TPM chip be any different. I read about them and see no reason for most people to have any use of them. Nothing like shoving new or unwanted technology down everyone's throats.

Be afraid only if you can't use it ..

[torpor]

.. yourself, personally, for your own uses. If the TPM 'feature' is only something that a mfr, or software vendor, can exploit to protect data, then its something that you definitely don't want to use.

But if there were uses for TPM which directly translated into a user feature - like being able to save .DOC files to your USB stick, encrypted to your own TPM serial, for example - then I would say yeah, its something that can be used.

But frankly, TPM isn't there for you. Its there for software vendors and 'media suppliers' to use in branding content to your machine. Whether thats good or not, is entirely up to whether or not the end user wants less control over where the data can travel .. so far, the only use for it appears to be in keeping MP3 and other Media files, which you did not author, local to your own machine.

I'd be interested to hear cases where TPM-stamps can be used to actually protect user-author'ed data, though. Would be handy for studio-type people .. like, if I could get my Cubase/Protools session files stamped specifically to my machine, and they can't be used anywhere else, under certain circumstances that could be very handy ..

But that sort of protection is just as easily provided by tools like GPG and such, and still would depend on the software vendor exploiting that feature, so .. yeah .. it just goes round and round.

Re:Be afraid only if you can't use it ..

[HaloZero]

But if there were uses for TPM which directly translated into a user feature - like being able to save .DOC files to your USB stick, encrypted to your own TPM serial, for example - then I would say yeah, its something that can be used.

I can safely say that I do not want this. I use my jumpdrive to keep a backup of three directories; a script automagically copies fresh versions of a particular tree into a branch on my jumpdrive. This is done for portability and backup purposes. If, for example, my .doc and .mpp and *.* files were encrypted with my ThinkPad's TPM serial, then recovery from another machine (lets say that my laptop is stolen, or otherwise destroyed [with fire]) is pointless - there's no way to replicate that serial.

Long story short: TPM serialization == bad for backups.

Nothing to fear

[dotslash]

Firstly you can disable the chip from BIOS or driver software

Secondly there are some good uses for it: I use it to store web site passwords, keys and certificates. On my laptop (Thinkpad T43) it is connected to the fingerprint scanner so I can enforce two-factor auth. (finger swipe AND passphrase). I also store the keys for encrypted disk volumes in the TPM (also part of the software IBM/Lenovo offers for the TPM).

No software can access the TPM without my consent, because it requires finger and password.

Re:Nothing to fear

[Jherek+Carnelian]

You might want to do a little research on the efficacy of finger-print identification systems - in short it is pretty much nil. The cheap ones can usually be fooled by simply retrying a bunch of times with the finger at different angles, the more expensive ones can be easily fooled with the equivalent of a jello mold of the valid fingerprint - which can often be lifted directly off the scanner itself via the skin-oil left by the most recent user. So your 2-factor authentication is really more of a 1.1-factor authentication.

Re:Nothing to fear

[Jherek+Carnelian]

They do afer all specialize in some pretty high end hardware such as tamperproof encryption modules. If it were any other manufacturer I'm not sure I'd "buy it".

Heh. I know the guys who do the IBM 4758 and PCIXCC cards and they aren't involved with the fingerprint scanner on the notebooks.
IBM is a big company.

Although not IBM specific, here's a few links about the falibility of fingerprint scanners, the last one is tragically funny.

http://www.schneier.com/crypto-gram-0205.html#5
http://catless.ncl.ac.uk/Risks/22.37.html#subj4.1
http://www.schneier.com/crypto-gram-0205.html#5
http://news.bbc.co.uk/2/hi/asia-pacific/4396831.st m

Just about every new laptop

[linguae]

...seems to have a TPM chip. Thinkpads, MacBook Pros, some Gateway machines, just about every major new laptop manufacturer that I know of has already installed TPM chips in their laptops.

The important thing to remember, though, is that a TPM chip means nothing if you don't use an OS or software that utilizes the chip for nefarious purposes. If you stick to Windows XP, current versions of OS X (they only use the TPM chip to see if it is a genuine Macintosh), or a free OS (like Linux or BSD), then they won't utilize the TPM chip to restrict your moves. However, you might want to check out any upgrades to the proprietary OSes or proprietary software before you upgrade. You might also want to avoid DRM'd media as well and find alternatives before it is too late.

Now, if you really don't want a TPM chip in your machine, just buy the last model of the machine that you want that doesn't have a TPM chip. Apple, for example, still sells their G4 line of PowerBooks and iBooks. You'll have to weigh the advantages/disadvantages; do you want to sacrifice performance over a trusted computing chip that has little control depending on your software choices?

Two questions

[mcc]

Firstly you can disable the chip from BIOS or driver software

1. Is this even the case with the new Intel macs?

2. If you disable the chip from bios, can the OS re-enable it without your consent?

educate yourself?

TPMs are neither good nor evil per default and there is
nothing magic in them, just some well known crypto cast into hardware.

If you want to know what they do or can do,
grab the specs from the TCG homepage and read em,
no one to stop you.

If you want to try them yourself, grab the TPM kernel emulator module,
or use a real chip, Linux ships drivers with every new kernel.
Use the freely available software lib from IBM (called Trousers),
hell, lately even first Java bindings appeared for those who
don't want to get much dirty.

be afraid...be very afraid

[Tumbleweed]

Keep in mind that TPM also stands for "The Phantom Menace," and that is NOT a good thing. (Okay, except for the light sabre battle at the end, which was the best thing in all three prequels.)

Re:I'd stay away from it...

[eclectro]

for now, my fiance wants Windows so it might be Windows in the future...not sure

Nope, it's not worth it. Stay with Linux, dump the girl.

TCPA claims rebuttal, from IBM research

[Fry-kun]

Just found this article, it's an interesting read:
http://www.research.ibm.com/gsal/tcpa/tcpa_rebutta l.pdf

In short it says, chip does nothing more than encrypt/decrypt data. It can't execute any code and is not made to be resistant to owner attack (e.g. timing cryptanalysis will work on it!). The only key(s) it controls are generated on-chip and never leave the chip [unencrypted]; there's no external "trusted authority" which manages the keys - so remote revokation is out of the question.
Ergo, you have nothing to be afraid of if you're running current version of WindeXP or any version of *nix