David G. Koontz writes:
> There are third party TPM modules, which could allow
some degree of
> standardization:
>
> http://www.ieiworld.com/en/news_content.asp?id=erbium/p
rojectOBJ00244201&news_cate=News&news_sub_cate=Produ
ct
>
> The IEI TPM module is used in their own motherboards
and some VIA
> motherboards. They actively market the pluggable
modules. Thinkpads
> appear to use a different connector:
> https://www.cosic.esat.kuleuven.be/publications/a
rticle-591.pdf
> 30 pins instead of 20 pins.
It seems odd for the TPM of all devices to be put on a
pluggable module
as shown here. The whole point of the chip is to be bound
tightly
to the motherboard and to observe the boot and initial
program load
sequence. Any steps to decouple the TPM and facilitate
separating it
from a motherboard will only make attacks on its security
model easier
and make the chip less useful for its stated purpose.
The idea of putting a TPM on a smart card or other removable
device is
even more questionable from this perspective. A TPM which
communicates
via an easily accessible and tamperable bus is almost
useless for the
security concepts behind the Trusted Computing Group
architecture. (The
exception might be if there were additional hardware to
encrypt the bus,
but that is not part of the standard spec.)
The other direction that has been mentioned, putting the TPM
onto the CPU
die, would make more sense for security, but I don't know of
any chips
that actually do that. However with the future trend
towards increased
CPU parallelism and addition of extra cores for additional
functionality,
it would seem to be a natural extension, if TPMs catch on.
I tried hunting through the TCG specs to see if they say
anything about
this, but it's a maze. Eventually there is supposed to be a
Platform
Conformance Credential which certifies that a particular
platform (e.g.
motherboard + associated chips) satisfies some criteria and
has gone
through a certification process. But I couldn't find
anything specific
about what security features a "trusted platform"
is supposed to have.
The "TPM Design Principles" doc says:
https://www.trustedcomputinggroup.org/specs/
TPM/Main_Part1_Rev94.zip
> 11.2 RTR to Platform Binding
>
> Start of informative comment
>
> When performing validation of the EK and the platform
the challenger
> wishes to have knowledge of the binding of RTR to
platform. The RTR
> is bound to a TPM hence if the platform can show the
binding of TPM
> to platform the challenger can reasonably believe the
RTR and platform
> binding. The TPM cannot provide all of the information
necessary for
> the challenger to trust in the binding. That
information comes from the
> manufacturing process and occurs outside the control of
the TPM.
>
> End of informative comment
>
> 1. The EK is transitively bound to the Platform via the
TPM as follows:
> a. An EK is bound to one and only one TPM (i.e., there
is a one to one
> correspondence between an Endorsement Key and a TPM.)
> b. A TPM is bound to one and only one Platform. (i.e.,
there is a one
> to one correspondence between a TPM and a Platform.)
> c. Therefore, an EK is bound to a Platform. (i.e.,
there is a one to
> one correspondence between an Endorsement Key and a
Platform.)
Here, the RTR is the Root of Trust for Reporting, aka the
on-chip
Endorsement Key (EK) which the TPM uses to sign platform and
software
configuration info as part of its Remote Attestation
capability.
This text would seem to argue against a removable TPM.
Here's a quote from one of the PC-related specs:
https://www.
trustedcomputinggroup.org/specs/PCClient/TCG_PCClientImpleme
ntationforBIOS_1-20_1-00.pdf
> 1.2.12.1.2 Binding Methods
> Start of informative comment
>
> The method of binding the TPM to the motherboard is an
architectural and
> design decision made by the respective manufacturer and
is not specified
> here. There are two types of binding: physical and
logical. Physical
> binding relies on hardware techniques while logical
binding relies on
> cryptographic techniques. The nature and strength of
each method is
> defined by the TPM's or the Platform's Protection
Profile.
>
> Example:
>
> The TPM is a physical chip soldered to the Host
Platform. Here the
> Endorsement Key is physically bound to the TPM (it's
inside it) and the
> TPM is physically bound to the Host Platform by the
solder. The required
> strength of each binding is determined by the
Protection Profile.
>
> End of informative comment
So this would allow a removable TPM but it has to be
"logically" bound
to the motherboard via cryptography, presumably something
like an
encrypted bus.
As Peter Gutmann noted, most TPM systems are relatively
expensive business
laptops where the chip is sold as a security chip, although
in practice
it doesn't do much. Possibly with Vista's BitLocker disk
encryption we
will see more use of TPMs. I saw the other day that
Microsoft was about
to make BitLocker available to home users (it's only in the
high-end
Vistas now) but changed their mind at the last minute.
Hal Finney
------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomo metzdowd.com
|
If you can remove it, what's to stop you plugging it into
another machine
and copying all your DRM-encumbered material to that
machine?
It's supposed to identify the machine, not the user.
Sounds to me like what
you want is a personally identifying cert that you could
carry around on a usb
key...
cheers,
DaveK
--
Can't think of a witty .sigline today....
------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomo