Slashdot Mirror
The Future of Trusted Linux Computing
ttttt writes "MadPenguin.org tackles the idea of Trusted Computing in its latest column. According to author Matt Hartley, the idea of TC is quite reasonable; offering a locked-down environment offers several advantages to system administrators with possibly troublesome users. 'With the absence of proprietary code in the mix users will find themselves more inclined to trust their own administrators to make the best choices ... And so long as any controlled environment is left with checks and balances [like] the option for withdrawal should a school or business wish to opt out, then more power to those who want a closed off TC in an open source world." LWN.net has an older but slightly more balanced look at the TC approach.
There is nothing wrong with hardware assisted security if the owner controls all the keys and nothing can touch the trusted hardware without the owner specifically installing it (i.e. logging in as root/administrator and changing things).
Trusted Computing is only bad if the owner of the hardware does not have control over the software on the machine, the hardware keys etc.
But Linux and most Linux programs are already more "trusted" then Windows can ever be. From being open source, how can you not trust it?
Did you even read the summary? Or were you just going for first post?
This is about locking down the workstation so that users can't monkey around. I do not care how well the code is written, a malicious user can create a security issue if he/she has the ability to do so.
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
Or are the users getting their CPUs' source code and recompile them? Or at least call their LinCPUx fans to do it for them?
Trusted Computing requires trusting the CPU manufacturer in the first place. And in this world, where the telcos have disclosed our conversations to the govt without us finding out but several years later, can we really trust that the government hasn't pressured the CPU makers to add a backdoor here and there?
Trusted Computing is practically closed, and incompatible with the spirit of Open Source/Free Software. Ergo, Trusted Computing cannot be trusted. Sorry.
With the absence of proprietary code in the mix users will find themselves more inclined to trust their own administrators to make the best choices
Sorry, but I think that's putting your words into everyone else's mouths. Or fingertips, or whatever. The vast majority not only don't have this opinion about open vs proprietary code affecting how much they trust the choices their admins make, they also wouldn't have a freakin' clue as to what you're going on about in that sentence. The vast majority don't know what open-source is, how it differs from proprietary source, they don't know any reason why they'd care either way, and they'd probably give you a pretty funny look for attributing this philosophy to them.
I like Linux and open-source, and have an appreciation for it. But I don't trust my admin at work more when he talks about Linux than when he's talking about Solaris. It's his job to make the best choices of any and all products available, and I trust him to choose whichever is most appropriate for our company, even if he feels that happens to be a proprietary product. It's not my place to impose on him to only ever choose open-source, and there's cases in our work where open-source offerings are less ideal.
A sufficiently motivated whatnow?
C-x C-s C-x k
In short, this article aims to lure the unwary into gullible acceptance of TC with an illusion of completely deceitfully presented and impractical (no one except the mega-corps will ever get the access to the main TPM keys) applications.
Excuse me but how exactly do I get my linux kernel i compiled myself signed?
SelfSign it. It is not the fact that it signed, it is who sign it which matters. From there on an access request goes down the chain with everyone signing it. The access control for A may like your selfsigned kernel. Similarly, it may not and it will invalidate everything down from it as untrusted. It is A-s "owner" choice.
And if you are talking about DRM for media, forget it, it is not here to stay.
You have mistaken me for someone who gives a fuck about signed MP3s. Now a document sitting on a corporate CMS encrypted individually on every release and with an associtated cert chain for each revision is something I do care about. A lot. A lost laptop in this case no longer means stolen data. The entire problem of document access control also more or less goes away. Same for revision and change control. While it is a hassle it solves quite a few real world problems.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
TPM in Thinkpads allows stores private/public keys in a secure hardware storage.
The kernel is signed and the hardware bootloader checks that the signature is valid (using TPM). So we can at least guarantee that the system is in consistent state during kernel loading. Later we can use numerous methods to control kernel integrity (SELinux, AppArmour, etc.).
Theoretically, Microsoft can make you to use TPM to validate their kernel during booting (because tainted kernel can be used to circumvent DRM).
So we just need to be able to turn off the TPM chip if it's not required.
Either a wanker or an extremely clever commenter on the true value of human inspection. I suspect the poster was a wanker, but, oh, my, do I hope that he or she was extremely clever.
Unfortunately there are several DIFFERENT, INCOMPATIBLE concepts being bandied about under the name Trusted Computing. This new "Trusted Computing Project" took on that name seemingly without being aware that there was substantial work already under way on a different concept with the same name.
Perhaps to try to remedy the confusion, we can distinguish between TC as proposed by the Trusted Computing Group and other forms of TC. The TCG is an industry consortium with Microsoft, Intel, HP etc., dating back several years, originally called TCPA. Their proposal has always been controversial but IMO misunderstood.
TCG's flavor of TC is fundamentally open. I would call it Open Trusted Computing, OTC. It does not lock down your computer or try to prevent anything from running. It most emphatically does NOT "only run signed code" despite what has been falsely claimed for years. What it does do is allow the computer to provide trustworthy, reliable reports about the software that is running. These reports (called "attestations") might indicate a hash of the software, or perhaps a key that signed the software, or perhaps other properties or characteristics of the software, such as that it is sandboxed. All these details are left up to the OS, and that part of the technology is still in development.
Open Trusted Computing runs any software you like, but gives the software the ability to make these attestations that are cryptographically signed by a hardware-protected key and which cannot be forged. Bogus software can't masquerade as something other than it is. Virus-infected software can't claim to be clean. Hacked software can't claim to be the original. You have trustworthy identification of software and/or its properties. This allows you to do many things that readers might consider either good or bad. You could vote online and the vote server could make sure your voting client wasn't infected. You can play online games and make sure the peers are not running cheat programs. And yes, the iTunes Music Store could make sure it was only downloading to a legitimate iTunes client that would follow the DRM rules. It's good and bad, but the point is that it is open and you can still use your computer for whatever you want.
This is in contrast to some other projects which may or may not call themselves TC but which are focused on locking down the computer and limiting what you can run. The most familiar example is cell phones. They're actually computers but you generally can't run whatever you want. The iPhone is the most recent controversial example. Now they are going to relax the rules but apparently it will still only run signed software. This new "Trusted Computing Project" is the same idea, it will limit what software can run. Rumors claim that the next version of Apple's OS X will also have some features along these lines, that code which is not signed may have to run in sandboxes and have restrictions.
This general approach I would call Closed Trusted Computing, CTC. It has many problematic aspects, most generally that the manufacturer and not the user decides which software to trust. Your system comes with a list of built-in keys that limit what software can be installed and run with full privileges. At best you can install more software but it is not a first-class citizen of your computer and runs with limitations. Closed Trusted Computing takes decisions out of your hands.
But Open Trusted Computing as defined by the TCG is different. It lets you run any software you want and makes all of its functionality equally available to anyone. P2P software, open-source software, anything can take full advantage of its functionality. You could even have a fully open-source DRM implementation that used OTC technology: DRM code that you could even compile and build yourself and use to download high-value content. You would not be able to steal content downloaded by software you had built yourself. And you could be sure there were no back doors,