Slashdot Mirror
Ask Slashdot: Best/Newest Hardware Without "Trusted Computing"?
An anonymous reader writes "What is the best/newest hardware without trusted computing (TC) / Trusted Platform Module(TPM)? I am currently running ancient 32-bit hardware and thinking about an upgrade to something x64 with USB3, SATA3 and >1 core on the CPU ... but don't want TC/TPM. I have no need to run anything like Blu Ray movie disks or Microsoft Windows that requires TC/TPM or the UEFI boot process. Is anybody else still trying to avoid TC/TPM? What have your experiences been? Any pointers?" Worth reading on this front, too: Richard Stallman on so-called Trusted Computing,.
Don't buy a TPM module? Just because a motherboard supports it doesn't mean you have to turn it on... or am I missing something?
I'd get in touch with ThinkPenguin. The company avoids trusted computing, non-free dependencies, and other digital restrictions that are bad for users. HP, Lenovo/IBM, Dell, Toshiba, Sony, and Apple are enemies of user freedom and should be avoided. They ship systems with digital restrictions and/or propitiatory pieces that prevent users from replacing things like the wifi in what is otherwise a standard slot. As a result if you get a system with a unsupported wifi card you can't replace it- or in other examples eventually move to a distribution that is 100% free like Trisquel or Parabola GNU/Linux.
ThinkPenguin's been working with the free software foundation on various issues like USB wireless cards and other projects. They helped bring a new chipset to the free software community (ar9271 and the older ar9170). They also don't ship parts/computers dependent on non-free drivers/firmware. The only real exception is the BIOS. That might change if the company gets enough support. Right now it is a non-trivial and significant task to fix. Particularly when every user wants a different configuration and demands the absolute latest in specs (like Haswell for example).
TPM is normally not included in consumer motherboards. You have to purchase a separate TPModule that plugs into the motherboard's TPM header, and thats assuming the motherboard even has that header in the first place (read the specsheet). The Asus Z77 Deluxe in this machine for example - has no TPM header, and thus has no TPM. Newer versions of that motherboard firmware does include SecureBoot support - but older versions do not. However that must be manually activated, as it defaults to disabled (and consequently must be re-activated every time you reflash/update the firmware). In addition, custom keys are supported.
TPM requires (for Intel) support from the CPU - and some consumer level CPUs (notably the K series) lack that support. The extremely common 3570K for example - cannot use TPM. So in the above case, support is missing on the motherboard level, and on the CPU level. The newer Haswell variants (for both) still has the same inability.
As usual, people fear what they don't understand.
I've studied the entire TPM technical specification. I understand it in minute detail.
The trick to TPM is *WHO HAS THE KEYS*. If *I* have the keys, it is a great feature.
EXACTLY!
And the entire point here is that you DON'T have the keys. The TPM technical specification is quite explicit that the owner of the computer is FORBIDDEN to ever get his keys. Specifically this means the PrivEK (Private Endorsement Key) and the SRK (StorageRootKey). The owner is forbidden to have his StorageRootKey, because the StorageRootKey is explicitly designed to encrypt data on the harddrive such that the owner of the computer cannot read or alter it. The owner is forbidden to have his Private Endorsement Key because this key is used to secure the Remote Attestation process against the owner. Remote Attestation is where the chip securely (secure against the owner) securely tracks your hardware and the software you run, and sends that spy-report out to other computers over the internet. If the owner had his Private Endorsement key, these Attestation spy-reports wouldn't be secure against the owner.
TPM is just a secure hardware keystore.
It's more than that, but an important part of it is that it's a "secure hardware keystore". Specifically, it is designed to be SECURE AGAINST THE OWNER. The Trusted Platform Module Technical Specification explicitly refers to the owner of the chip as an attack-threat which the chip MUST be secure against.
Stallman's piece focuses exclusively on TPM being implemented as a mandated piece where either the gov't or the media industry has the keys.
The "Master Keys" are held by the Trusted Computing Group. The crucial individual keys are locked inside the Trusted Computing chips, secured against the owners.
Focusing on one theoretical use case and determining the entire system is evil is just plain wrong.
Lets make it really simple. The moment they give owners some option to read their keys out of the chip, or give owners the option to buy chips that come with a printed copy of they keys, then I will jump up front and center proclaiming that Trusted Computing is wonderful and harmless... I'll lead the charge smacking down anyone claiming it's evil.
However the Trusted Computing Group has explicitly refused all demands for any sort of "Owner Override" and explicitly forbid owners to ever get a hold of their own keys. That is because the entire point of Trusted Computing is to secure computers AGAINST their owners. The entire point of Trusted Computing is that "Owners can't be trusted", so they want to be able to "Trust" computers to be secure against the owners.
The moment they allow owners to get their keys then I agree that the owner is in control.
Note that the standard argument against allowing owners to get their keys is that a virus or malware or something might get a hold of the key if it's accessible from the chip, or if it's on the harddrive anywhere. Which is a patently bullshit argument for refusing to let me buy a chip with a PRINTED COPY of my master keys. Malicious software can't read paper. End of argument. Then I can toss the printed keys in my safety deposit box at my local bank, and you can't make any believable argument that it's somehow "for my security" that you're refusing to let me get my own goddamn keys.
A simple rule for everyone:
Just say "I want my keys", NO KEYS, NO SALE
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
mean while, you can run Windows 8 on any Pentium 4.
Actually no you can't. Windows 8 unlike Windows 7 requires PAE, NX, and SSE2. NX was introduced into later Pentium 4 Prescott models, but not earlier Willamette and Northwood models. Win 8 Betas did run on these platforms, but RTM will refuse to install on them.
Also not only does Windows 8 not need secure boot, it doesn't even need UEFI...
I swear these paranoid types need to spend a bit of time getting their learn on about new technologies before whining about them....
The amount of knee-jerk that goes on with this shit is pretty amazing.
Quoting fucking MICROSOFT.COM News Center:
"Trustworthy hardware. The Trusted Platform Module is a hardware security device or chip that s a great tool for the enterprise, but until now has been an optional piece of technology for consumer devices. TPM provides a number of crypto functions, including securely storing keys and performing cryptographic measurements. We re working to require TPM 2.0 on all devices by January 2015"
You're seriously going to call me "paranoid" when Microsoft has an official public statement that they plan to make this Trusted Computing shit mandatory starting less than a year and a half from now?
Over a half-billion computers have already been shipped with this shit welded to the motherboard. THAT'S why the Ask Slashdot story is asking how to avoid this shit. A lot of computers already come with this shit on the motherboard, and not all of the sales materials list that it's in there.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.