Slashdot Mirror
Ask Slashdot: Best/Newest Hardware Without "Trusted Computing"?
An anonymous reader writes "What is the best/newest hardware without trusted computing (TC) / Trusted Platform Module(TPM)? I am currently running ancient 32-bit hardware and thinking about an upgrade to something x64 with USB3, SATA3 and >1 core on the CPU ... but don't want TC/TPM. I have no need to run anything like Blu Ray movie disks or Microsoft Windows that requires TC/TPM or the UEFI boot process. Is anybody else still trying to avoid TC/TPM? What have your experiences been? Any pointers?" Worth reading on this front, too: Richard Stallman on so-called Trusted Computing,.
Don't buy a TPM module? Just because a motherboard supports it doesn't mean you have to turn it on... or am I missing something?
I have no need to run anything like Blu Ray movie disks or Microsoft Windows that requires TC/TPM or the UEFI boot process.
Non sequitur much? What do Blu-Ray movies have to do with a TPM or UEFI secure boot? Also, Windows 8 can be run just fine without UEFI secure boot and doesn't need a TPM. UEFI secure boot is only needed to sell a certified product. Trying to drum up some FUD or what?
None of the consumer grade machines that you would buy or build for installing your own system enforce TPM or UEFI or any of that, so far it is all optional. So no need to currently avoid it, just don't use it.
get a mac: http://www.osxbook.com/book/bonus/chapter10/tpm/
At the time of this writing (October 2006), the newest Apple computer models, such as the MacPro and possibly the revised MacBook Pro and the revised iMac, do not contain an onboard Infineon TPM. Apple could bring the TPM back, perhaps, if there were enough interest (after all, it is increasingly common to find TPMs in current notebook computers), but that's another story.
You don't HAVE to enable TPM. It's a bios option in most of the mobos i've seen so far. Most don't even have anything in that plug. They just include a tpm header to plug that in someday. Even UEFI is just a plain ol bios unless unless you run something that requires the stupid security shit.
If you're REALLY dead set on not even having it at all... You're going to be stuck 2 generations ago forever.
Mobo mfgs included it because its easier to make one product line that has it all. It's not going to take over your system unless you install software that requires that.
If you were to go "off the grid" how are governments and corporations supposed to keep track of your activities? You obviously have something to hide. They will still find you and track you down even if you use archaic hardware. [insert evil laugh here]
My god man, how many Wal-Marts could you possibly need?
Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
What kind of trolling is this?
You can easily find computers without those options, or at the very least can be disabled.
I'd get in touch with ThinkPenguin. The company avoids trusted computing, non-free dependencies, and other digital restrictions that are bad for users. HP, Lenovo/IBM, Dell, Toshiba, Sony, and Apple are enemies of user freedom and should be avoided. They ship systems with digital restrictions and/or propitiatory pieces that prevent users from replacing things like the wifi in what is otherwise a standard slot. As a result if you get a system with a unsupported wifi card you can't replace it- or in other examples eventually move to a distribution that is 100% free like Trisquel or Parabola GNU/Linux.
ThinkPenguin's been working with the free software foundation on various issues like USB wireless cards and other projects. They helped bring a new chipset to the free software community (ar9271 and the older ar9170). They also don't ship parts/computers dependent on non-free drivers/firmware. The only real exception is the BIOS. That might change if the company gets enough support. Right now it is a non-trivial and significant task to fix. Particularly when every user wants a different configuration and demands the absolute latest in specs (like Haswell for example).
I don't see a problem with it, unless it can't be disabled. If you want all the freedoms, one of those freedoms is to enable or disable a TPM when you want. Maybe the only reason you want a TPM is so you can have one to test ways to circumvent it.
The story about the TPM was a load of horseshit FUD. TPMs are good if you want secure crypto key storage. If you don't, use a tinfoil hat.
"Secure boot" is the thing you want to avoid if you're suitably paranoid.
Just buy it with TPM and turn it off. It's just like 3D televisions--it's a permanent addition to the feature list, regardless of how many people actually want or use it. Yeah it sucks that you pay for stuff you don't use. I'm sure you'll survive the experience.
And if you're paranoid that turning it off won't REALLY turn it off, how do you know a motherboard without a TPM module doesn't REALLY have a super-secret disguised TPM module? If you're that paranoid, you'll have to build the motherboard yourself.
Buy consumer grade hardware, i.e. no workstations or business grade laptops. There's usually no TPM because home users don't have a need for it or the infrastructure to use it.
Every modern, totalitarian regime needs easy way to spy on own peasants. Don't expect hard drive without embedded serial number, motherboards with burned MAC or CPU with ID.
Don't fight just follow the path they outlined for you.
TPM is just a secure hardware keystore. It allows you to store secret keys in it. Don't want it? Don't activate it.
It is most commonly used in corporate machines, but can be used in Linux to support LUKS for full-disk encryption.
As usual, people fear what they don't understand. The trick to TPM is *WHO HAS THE KEYS*. If *I* have the keys, it is a great feature. TPM itself isn't inherently bad any more than any safe is inherently bad.
Stallman's piece focuses exclusively on TPM being implemented as a mandated piece where either the gov't or the media industry has the keys. Focusing on one theoretical use case and determining the entire system is evil is just plain wrong.
Learning HOW to think is more important than learning WHAT to think.
"trusted" = restricted = encumbered = crippled = oppressive
I am currently running ancient 32-bit hardware and ...
Just buy a new computer and get over it, why is this even an issue in 2013.
Stop blindly following whomever told you TPM is worth spending any time/money to avoid on ideological grounds.
http://resources.infosecinstitute.com/linux-tpm-encryption-initializing-and-using-the-tpm/
You can use the damn thing for anything you want.
The same goes for UEFI people, grow a mental pair and understand the technology instead of having it interpreted by techno-priests for you.
I am currently running ancient 32-bit hardware and thinking about an upgrade to something x64 with USB3, SATA3 and >1 core on the CPU ... but don't want TC/TPM.
You want to buy a high performance x86 motherboard which for some unfathomable reasons lacks features that have become more or less standard in both the consumer PC and the enterprise markets like UEFI and are not going away any time soon. Good luck with that,
I've got two different systems running Arch using these boards. One of them is booting in traditional BIOS mode, and when I turned off the secureboot and followed Arch's UEFI installation procedure, I got the second one booting with UEFI just fine.
AntiFA: An abbreviation for Anti First Amendment.
TCM/TPM is often a business only feature. Consumer motherboards *frequently* don't support it. But full disk encryption programs can, and some do.
In other words, yes, you can totally opt out of buying a motherboard with TPM, including a top-of-the-line Haswell motherboard or an AMD chip, if that's your fancy. But if you buy one, you can also use it as a layer of security for a product like TrueCrypt (I do not know if TrueCrypt specifically supports it, that's just an example). And if you don't want it, you can turn it off.
Stallman is never "worth reading".
GNU/FSF followers remind me of Catholics, no offense intended to either.
While I truly respect your freedom to believe whatever you want,
understand that I can't help from laughing if you walk around with dirt on your face. [wikipedia.org]
Seriously, at least a bindi can look nice.
Buy a computer with TPM already, it's not a sin.
Buy an Apple computer? They haven't had TPMs of any sort for a long time, near as I can tell from the literature.
By disabling it in the BIOS, or if that's not an option, don't install the driver. And since when do Blu Ray discs and Windows need the TPM to be enabled to run?
...why not try these guys? https://www.system76.com/ Desktops and laptops available.
Anti Evil Maid is an implementation of a TPM-based static trusted boot with a primary goal to prevent Evil Maid attacks.
http://theinvisiblethings.blogspot.com/2011/09/anti-evil-maid.html
TPM is normally not included in consumer motherboards. You have to purchase a separate TPModule that plugs into the motherboard's TPM header, and thats assuming the motherboard even has that header in the first place (read the specsheet). The Asus Z77 Deluxe in this machine for example - has no TPM header, and thus has no TPM. Newer versions of that motherboard firmware does include SecureBoot support - but older versions do not. However that must be manually activated, as it defaults to disabled (and consequently must be re-activated every time you reflash/update the firmware). In addition, custom keys are supported.
TPM requires (for Intel) support from the CPU - and some consumer level CPUs (notably the K series) lack that support. The extremely common 3570K for example - cannot use TPM. So in the above case, support is missing on the motherboard level, and on the CPU level. The newer Haswell variants (for both) still has the same inability.
is not freedom if you have no clue what to do with it (or what is it in the first place) I used to be obsessed with free software, open source, freedom of this, freedom of that, and then I grew up, got myself a Personal Computer that does exactly what I need it to do, boots up in under few seconds when it needs to boot up, wakes up from sleep mode in fraction of a second, and I don't have to reinstall it every two weeks because I tinker with freedom stuff. And do I know what it has inside? No, and I don't care as long as it does what I need it to do (like write this post on /. or read your comments, or what ever I want to do with a Personal Computer at home).
There was some interesting research presented at Blackhat that pointed out the problems of using the TPM as a root of trust in your platform: https://media.blackhat.com/us-13/US-13-Butterworth-BIOS-Security-Slides.pdf The essence of the research is that the TPM is not adequate as a root of trust in the platform because the code that drives the TPM/does the system measurements resides on a mutable EEPROM (the bios flash chip). Therefore any attacker that can gain access to the bios flash chip via an exploit (the researchers presented one) or via an unlocked flash chip (see Yuriy Bulygin's related work) can forge the TPM measurements that serve as the root of trust in your system. This is important because software like Bitlocker uses these TPM measurement values to determine whether or not to decrypt your harddrive...
I am more worried about no new laptops with the standard 8-row keyboard which has Ins/Del/Home/End/PgUp/PgDn block.
All manufacturers that had those for business use - i.e. Dell, HP, Lenovo switched to the new consumer type layouts which are much slower for development work.
When this keyboard layout is ressurected, I am buying a new laptop. Until then, I stick to the fastest possible laptop with such keyboard. Which, at present is Dell E6410/E6510.
As far as UEFI and TPM - all of these can be disabled.
In short, never assume a TPM protected scheme is theoretically secure assuming an attacker has the complete system. The private keys and what they are protecting are in there somewhere.
However, the ability for malicious software or remote attackers to circumvent is greatly reduced. The chance that a hard drive that managed to walk off is usable outside the system it was hosted in is smaller. If you acquire a board and compromise the TPM, the content it protected may be out of reach (depending on how the board was decommisioned, it's likely you get a TPM with either no persistent storage or persistent storage unrleated to the TPM in question.
In other words, the TPM can provide significant risk mitigation. However they are frequently integrated into a board that can fail in a number of ways. If the key to your dm-crypt storage is sealed to a TPM and the related board fails in a way that you really can't avail yourself of that TPM anymore, you are pretty well hosed if you aren't careful about backups (and in turn, securing those backups and so on and so fourth.
I've never seen as much misinformation on anything on Slashdot as I have on UEFI.
UEFI does not imply secure boot. Microsoft recently baked secure boot into the most recent UEFI standard, but even if your machine is on that version, you can do a UEFI boot without going through secure boot.
Saying UEFI and secure boot are the same thing is like saying HTML and JavaScript are the same thing. Yes, you usually find one with the other, but they're not the same thing and have different use cases. EFI is actually a pretty great boot system.
If I buy a motherboard with TPM, (1) can I find it by looking for a suspect Infineon part number, (2) can I wreck it - prolonged point contact with a soldering iron, maybe? and (3) will the MB run if the TPM is fried?
Awesome, 111 comment so far and not ONE SINGLE constructive answer to the OP.... Would someone just please answer the man's question and list some current motherboards with no TPM/UEFI hardware? Geez.
VIA makes multicore x86 processors (2 and 4) that doesn't have trusted computing because of their simplisity. But they still have encryption acceleration I believe is faster and more secure than the competitors. It works with the disk encryption and home encryption bundled with Ubuntu or Xubuntu f ex. You'll hardly notive a slowdown, on mechanical disk drives at least. It's pretty hard to get a hold of a newer VIA processor I think though.
Also not only does Windows 8 not need secure boot, it doesn't even need UEFI. You can run it on a system with a BIOS, or on a UEFI system in BIOS emulation. My desktop is set up like that. My motherboard had some issues with UEFI boot as well as my video card, so BIOS mode it is. My laptop did not, so it is UEFI boot (it is faster) though without secure boot, it is just regular ass UEFI boot.
I swear these paranoid types need to spend a bit of time getting their learn on about new technologies before whining about them. You'd think if you cared so much about privacy and control you'd actually take the time to understand what thing do or do not affect it.
The amount of knee-jerk that goes on with this shit is pretty amazing.
That is the point all you TPM-ranters seem to be missing: It is 100% optional to use. In most cases I've seen, it is off by default because people just don't give a shit about it. On my system I go and have a look in device manager and, oh look, there's no "Security Devices" category, which is where the TPM appears if it is turned on. My board either shipped with it off, or without one (I haven't bothered to check in the BIOS) and it is a new Z77 board.
I could see the issue if this was being required, but it isn't. You can choose to turn it off (or more likely to just not turn it on). Then there's no issue.
It really seems like something that some people just want to be a big evil issue so they pretend it is. There's lots of screaming about it, that is backed up by a big lack of knowledge about it. Just chill out, don't use it, and go on.
no text
ITT: A lot of people who dont know what TPM, UEFI or SecureBoot are.
Why? Because buying it will mean that the company doesn't know people don't want it and have no use for it.
Each one sold will be punted as ACTIVE ACCEPTANCE of TPM and trusted computing. Which will mean that the politicians will be told "You won' lose any votes making this compulsory, 9 out of 10 people like it already!!!".
Me? Just not going to buy another computer again.
Most AMD boxes so far dont have TPM, but thats changing. I think the enterprise ones have a module slot. AMD has licensed tech from ARM to put an armcore in the package for TPM.
http://blog.hansenpartnership.com/
/sys/firmware/acpi/tables/MSDM))
(Scroll down, it's the third blog post down)
Has instructions on how to own your platform. It's not that hard. You first install KeyTool.efi to backup your original shipped keys, then you generate and install your own, and sign an authorization to delete it... then you can toggle between tpm setup mode and user mode at will, and add or remove whatever keys you want. Should take you maybe 20 minutes (and a few reboots) or so if you know your way around a command line.
Personally, when I got a new windows 8 laptop, this was the second thing I did. (The first one being to install the non-crapware oem version of windows 8 onto an external bootable usb3.0 drive so it's there if I ever really need it for something, but doesn't waste space on my primary drive for the ocassional dual boot)... ((PS: to do the latter you need to get your registration key from the last string of
---
the pen is mightier than the sword, the sword is mightier than the court, the court is mightier than the pen.
an HP with a Socket AM3+
No TPM module.
Mod me up/Mod me down: I wont frown as I've no crown
Help me judge which of you is right.
Alsee says I can't have the keys to the TPM which comes with the computer I buy. You disagree with Alsee. We all agree that if I can have the keys, all would be fine.
So, if I buy a computer with TPM, how would I go about getting the keys?
Not a troll. I really want to know, and I'm sure other Slashdotters would thank you, too.
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
Well best advice i can give is hit up the Industrial vendors Bcm etc... not only do you get a board thats still made with good ole fasion lead there usually stable as hell and lack alot of the crap they try and shove on consumers. problem is that company will occasionally skip an entire generation, if they had an x58 board i would have bought one in a heartbeat.
FitPC3 do not have TPM module... and do have all other requested features.
I know for sure I've just bought 20 of them.
A machine with it and figure it all out by loading linux on it.
Your going to have to read but once you learn it all you dont really care if you do or do not have it.
The motherboard in the subject came with a header for installation of a TPM, but no actual TPM, and supports both UEFI and BIOS. Leaving out the TPM seems like a cost saving move rather than a privacy one. [It has a LGA1155 socket, which is being phased out, but it's pretty fast with a Xeon E3-12??v2. ECC monitoring not supported on Linux, if you're interested. I wish there was a chip that was equally fast per core, but with more cores..]
I wouldn't worry about TPMs for privacy or security anyway. There may be a backdoor in TPM, but all it could do is to negate the security of the TPM. There may be other hardware backdoors, but there is currently no way to protect against that. If the CPU had a back door that was triggered by a 128 bit pattern, or a sequence of arithmetic or floating point instructions and operands, this could be delivered over the internet to any host as part of an image file over HTTP, regardless of firewalls, VPNs and virtual machines. [The only solution I can think of would be to implement an emulator which re-maps memory addresses randomly at the byte level, and fudges the operands in calculations (maybe adds a random number to the operands, then subtracts it afterwards)]
I would like the OP also try to stick with legacy BIOS, just for practical reasons.
I guess that the original post really doesn't understand what TPM is, and has subscribed to the 'conspiracy theory' brigade. What would be the reason for avoiding the chip altogether, when it is quite possible to disable the functionality.
As a self-confessed privacy freak, I'd love a TPM module in my home machine - sadly I have not located a source of the module at a sensible price. I did, however, have it on an old laptop, and (under linux at least) found its functionality very positive. Then again, it was under a non-commercial OS, and I had full control over it.
What I *don't* understand is UEFI - mainly because I have no hardware to hack with. However, that appears at first glance to be more problematic for me to hack, since it seems only MS are able to sign the bootloader. Not a problem with TPM.
In short, it is not the presence or absence of the chip that the OP needs to think about - it is the software that is installed and used.
it is not what it was once thought to be. Originally, TC/TCM was just supposed to be a secure method for storing crypto keys and secure method for communication over the bus and processor to enable unbreakable hardware backed encryption. this would allow not just the operating system, but the user to securely store keys that couldn't be broke. at this point after seeing all the NSA stuff, they believe that the public isn't allowed to store information in true secured format. they have had the NSAKey installed in Windows since 1998, which has given them backdoor root access to Windows cryptography service. more recently, they have shown they have the ability to force anyone to include in secret, secure backdoors and Trojans into software and services just so that nothing is truly encrypted or kept private from the NSA. you will find this in the secret court orders from FISA that have forced disclosure of Internet and phone records, and access to encrypted email and communication over Skype. they now have the ability to break into any system illegally, with the cooperation of the hardware and software vendors. so this is fucking insane - I absolutely believe TCM is unsafe, and likely has a built in backdoor for the NSA in it. it is not secure, will never be secure, and they can even if there is no backdoor built in directly, force the hardware and software vendors into turning over keys and other sensitive information that belongs to you or that you think is protected by TCM. what I think is really happening with TCM, is it is being deployed to control user end data in a controlled non-secure fake secured encryption scheme. it has to be government approved, and there HAS to be ties to the NSA for them to approve it. at this point I think that these assholes want to lock down computing, and their goal is to have Trojans and remote control capability of all machines with this system. TCM is going to be a way to prevent hackers from bypassing their security, and to prevent us from running our machine and code the way we want. it is most definitely a huge risk having a system with TCM, and once it is mandated in all machines, you will have no security on your box any more from the NSA. http://www.washingtonsblog.com/2013/06/microsoft-programmed-in-nsa-backdoor-in-windows-by-1999.html
by the way. there is already exposed backdoor CPU modes on AMD processors. when we first uncovered this in 2010, we thought it was just a debug mode. but it was likely and could have been a secret NSA/government backdoor that allowed code to bypass the kernel and system function on all our systems. it allows code to elevate privileges and bypass all hardware and software security features. it exposes additional registers and hardware features already built in place for running code along side other code on x86 CPUs. it gives full root access, without them knowing your password. all I can say, is this whole scam has NSA all around it. http://hardware.slashdot.org/story/10/11/12/047243/hidden-debug-mode-found-in-amd-processors
TCM should be considered a compromised hardware feature that works against the publics interest. There is no way to verify if it's safe or not. Because the NSA isn't going to disclose anything about it, and the hardware vendors and software vendors aren't going to disclose anything about it. It is never going to be disclosed, and I bet NSA and court orders are in place that prevent it. A feature this crucial to computing has all the signs of being a crucial component to NSA spying, this is exactly the type of thing they have control over. I am sure, most of what they do with it, will be nefarious as usual. http://www.oregonstatehospital.net/d/story.html#nsa
Even long again in the days where 802.11 was standard, HP required their branded wifi cards (even though they're all mini-PCI which is supposed to be a standard). I picked up a non-HP 802.11G card to replace the craptastic Broadcomm my laptop came with and it bitched immediately upon boot that it was a non-supported card.
The only way I could upgrade was by installing an 802.11G card from another HP model (sadly, also a broadcomm, but at least a bit faster).
What's wrong with F2P games? Are long as you can access the core game functionality without needing to buy "items" then it's actually a good model. Much better than shit like EA crams out where you pay for the game for $60, which turns out to be cut-down with 0-day paid DLC for the rest of the content or item-buys required to avoid the getting ganked repeatedly because you don't play 24/7 and/or grind to stay competitive.
I've been enjoying games like DOTA2 (my friends also like LoL but it seems not as polished to me). Free to play, and I don't need to buy a funny hat or shoes in order to enjoy the game and/or be competitive.
While Dell does use branded WiFi components, they also have bog-standard Intel adapters as a higher-end option.
TPM in portuguese, means the same as PMS in english. It's very funny to read lots of comments about Motherboards with TPM.
1. Doesn't matter if you can turn it off or put in your own keys. O.s. vendors like Microsoft and hardware oems that have in their systems have master keys that can revoke your personal ones.
2.can't fight it either as every cpu and hardware manufacturer is in the tcg..
I guess I'm trying to cut to the essence of the question: can I get my keys? How can I get my keys?
To clarify: The aspect on which BIOS4breakfast and Alsee disgree is that the former feels that there is not a restriction on obtaining keys as long as they are not obtained from the TPM module, whereas the latter feels that the restriction covers non-TPM aspects as well. Alsee says: "The moment they ... give owners the option to buy chips that come with a printed copy of they keys, then I will [proclaim] that Trusted Computing is wonderful ..." This is the point of contention, and the aspect on which I am focusing.
I guess I should have been more explicit: "Alsee says I can't have the keys to the TPM which comes with the computer I buy, EVEN THROUGH NON-ELECTRONIC MEANS. You disagree with Alsee. We all agree that if I can have the keys, all would be fine."
In the end, it doesn't really matter who agrees with whom where. I want my keys. How do I get them?
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
chromebooks are equipped with TPM
This thread has gone off track. Can we agree on the best plaform for different Businesses