TPM to End Piracy

Ha ha ha ha. Famous last words from Atari founder Nolan Bushnell:

"There is a stealth encryption chip called a TPM that is going on the motherboards of most of the computers that are coming out now," he pointed out

"What that says is that in the games business we will be able to encrypt with an absolutely verifiable private key in the encryption world -- which is uncrackable by people on the internet and by giving away passwords -- which will allow for a huge market to develop in some of the areas where piracy has been a real problem."

"TPM" stands for "Trusted Platform Module." It's a chip that is probably already in your computer and may someday be used to enforce security: both your security, and the security of software and media companies against you. The system is complicated, and while it will prevent some attacks, there are lots of ways to hack it. (I've written about TPM here, and here when Microsoft called it Palladium. Ross Anderson has some good stuff here.)

Posted on May 29, 2008 at 6:33 AM • 50 Comments

Comments

Stephan EngbergMay 29, 2008 7:03 AM

I agree that TPM is not going to stop piracy.

The problem is that in the process it will destroy privacy, security and block innovation, by giving manufactures controls of technology usage.

You don't get more secure by getting more controlled, subjected to more surveillance or loose the right to choose what is on your computer.

If anybody hasn't seen the video on Trusted Computing, it is a fantastic example of online communication.
http://www.lafkon.net/tc/

The problem is that we need better security, but those that make it, make it to control users, not to secure them.

blahblahMay 29, 2008 7:54 AM

Ignore the previous 27,358 failed attempts at ending piracy using technology. #27,359 though....that will be a winner.

Ralph BroomMay 29, 2008 8:23 AM

Bruce Potter made a call several years ago for the open source community to experiment with the TPM and find its OWN uses for it. It is, after all, a very interesting piece of technology. I think his concern was that if we (the users) don't use it for our own purposes (as well), it would be primarily used against us.

HW hackerMay 29, 2008 8:23 AM

I like the idea of some hardware supported PC security. I hate TPM.

Will Linux uses be allowed to use it without paying huge fees? No. Will malware companies still get "keys" sold to them. Yes.

All it will do is decrees reliability.

Its a real missed opportunity by the industry.

PaulMay 29, 2008 8:23 AM

1. Many people who casually pirate software for their own use probably would not have spent the money on buying it anyway; they'd have done without it first. Bear that in mind next time Microsoft/RIAA/MPAA/whoever complain about losing millions of sales to piracy.

2. The people who pirate software for profit will always find a way around any protection, because it's worth their effort.

3. So will the crackers who enable #1, because there's nothing like a challenge to get them fired up.

4. Instead of spending time and money on yet more ineffective protection, spend it on making the games WORTH BUYING! Maybe #1 would be less of a problem then.

SupporterMay 29, 2008 8:38 AM

@HW hacker,

Why do you hate TPM?

> Will Linux uses be allowed to use it without
> paying huge fees? No.

Sorry, you have lost me there. You have probably already used a system with an embedded TPM, therefore clearly Linux users can already use the TPM without huge fees! (Of course, software needs to be written, but that is true of any hardware)

> Will malware companies still get "keys"
> sold to them. Yes.

Which keys? The TPM's secret key? Probably. But it shouldn't take long to discover which keys have been leaked. If 'secret' key x (hence TPM associated with secret key x) starts making an unusually large number of requests, don't trust that TPM! Hell, you could even search for published keys yourself.

> All it will do is decrees reliability.

How? (Do you mean: you may not be able to use service xyz because they don't trust your configuration? That's not decreased reliability. That's an issue with the application provider)

> Its a real missed opportunity by the industry.

I think the industry is working hard (and spending lots) to ensure this doesn't happen.


I agree that using TPM for DRM is a bad idea. However, there is another side to TPM - I can give a remote server a cryptographic guarantee that I am running configuration x. The remote party can then make its own decision as to whether to trust me based my software configuration. (Okay, in practise, this doesn't all work out just yet, but in theory this is a nice idea)

FabberMay 29, 2008 8:45 AM

With homebrew devices like Fab@Home, we should start making our own hardware and trading design documents. It's time to put an end to black box computing forever with everyone collaborating on hardware in their homes.

But corporations and governments will likely shut down Fab@Home production and make it illegal, should it become popular.

bobMay 29, 2008 8:51 AM

I'm glad I don't have kids. Cockroaches will take over the world within a decade or two; and rightfully so - they're smarter than humans.

JoeHonkieMay 29, 2008 9:12 AM

There's a lot of good uses for the TPM, but mostly Bushnell is a past his prime idiot who hasn't done anything useful in the gaming world in ages.

One thing that PC game companies are finding out is that while users of software like Photoshop are willing to jump through a few hoops reregistering their stuff on a new computer, PC gamers aren't. It's ok to lock something to an internet verified user account (see Steam, and provided that software can still be used online), but go too hardcore and people will yell at you or buy it on a console.

See what happened when EA was planning on having Mass Effect connect to the internet to reverify your key every few days and cut you out if it couldn't contact the server. That got shot down really quick.

StineMay 29, 2008 9:17 AM

@ Ralph Broom

Right. TPM is a good security base if the owner of the PC has the private key. Otherwise, it's junk.

p0LyeSt3RMay 29, 2008 9:24 AM

"4. Instead of spending time and money on yet more ineffective protection, spend it on making the games WORTH BUYING! Maybe #1 would be less of a problem then."

I think this is the best comment i read. But there is still people that steal pens.

Garrett G.May 29, 2008 9:40 AM

TPM is a good idea when used in conjunction with disk encryption software, allowing for the pre-boot integrity checking and for the convenience of entering a PIN, vs an obscure password, USB key, etc.

The "scary" consequences don't sound very likely to me, but if you're concerned, why not just turn it off in the BIOS?

FPMay 29, 2008 9:43 AM

An uncooperative TPM chip is nothing that a virtual machine can't fix.

HW hackerMay 29, 2008 9:44 AM

@Supporter

I don't need a system that M$, Sony or any other big company can trust. I need a system *I* can trust. The trust relationship is the wrong way round.

And as for "fees" with Linux. How many *legal* DVD playback programs are available for Linux? Even implementing CSS requires very high fees. This will be no different.

The other side of TPM is is not in this implementation of TPM. You are paying the money and are part of the consortium. Or you are out of the loop.

@Paul

If the games are so bad. Why do they go to the effort of downloading the illegal versions in the first place.

DoubtingTMay 29, 2008 9:47 AM

@ Supporter

> Sorry, you have lost me there. You have probably already used a system with an
> embedded TPM, therefore clearly Linux users can already use the TPM without
> huge fees! (Of course, software needs to be written, but that is true of any
> hardware)

And you won't get an API to the h/w without paying for it. And reverse engineering it will be prevented by the DMCA. So if any distro wants to support the TPM, they'll have to pay whatever the going rate is.

"Trustworthy Computing" doesn't fit well with the open source model.

derfMay 29, 2008 9:48 AM

Game companies are rather stupid, especially when it comes to copy "protection". Unfortunately, the PC gaming industry has a history of releasing half baked software, and copy protection just makes it worse. This stuff cripples the game performance, breaks the game software so it won't run, installs a rootkit, inventories your PC and refuses to run if it finds certain registry keys, destroys your hardware, cripples your CD/DVD drive, and/or calls home to tell the game company (or copy protection vendor) all about you and your installed software. When your paid for software behaves like this, why worry about malicious software?

It's no wonder most folks with any knowledge of their system immediately go online to find a way to defeat the copy protection once the game is installed. I know some folks that won't buy a game until there is a crack for it.

HW hackerMay 29, 2008 9:54 AM

@derf

Supcom was about 3x slower with the copy protections on as just one example. Then theres was Battle for middle earth 2. Can't even play a lan game with 2 fully licensed games. (key gen anyone?)

Thats the last game I will pay for.

HW hackerMay 29, 2008 10:00 AM

@FP

Thats the point of a hardware solution. It can tell the difference......


on my previous post the is should read "without 2 fully ...."

PaeniteoMay 29, 2008 10:16 AM

@HW hacker: "And as for "fees" with Linux. ..."
@DoubtingT: "And you won't get an API to the h/w without paying for it. And reverse engineering it will be prevented by the DMCA. So if any distro wants to support the TPM, they'll have to pay whatever the going rate is."

Here is your free linux driver:
http://tpmdd.sourceforge.net/
http://sourceforge.net/projects/tpmdd
http://sourceforge.net/projects/trousers

Also see:
http://lwn.net/Articles/144681/
https://www.trustedcomputinggroup.org/specs/TPM/

SupporterMay 29, 2008 10:19 AM

@HW hacker,

> I don't need a system that M$, Sony or any other
> big company can trust. I need a system *I* can
> trust.

Good point. And how do you trust your machine at present? Would http://trousers.sourceforge.net/grub.html help? How do you ensure that the machines connecting to your network are trusted? (You may trust your own machine, but you probably can't trust your {son,daughter,souse}'s machine).


> And as for "fees" with Linux. How many *legal*
> DVD playback programs are available for Linux?
> Even implementing CSS requires very high
> fees. This will be no different.

CSS is based on a proprietary algorithm. As far as I am aware the TPM has not been developed in such a closed manner. All the algorithms which it uses are public domain (and hence have proven their worth over the years).

DoubtingT writes:
>> And you won't get an API to the h/w without
>> paying for it. And reverse engineering it will
>> be prevented by the DMCA. So if any distro
>> wants to support the TPM, they'll have to pay
>> whatever the going rate is.

This is more likely. But I would like to rephrase what you have written: A software implementation of the API won't be available without paying for it. The API itself (as a paper document) is already available: https://www.trustedcomputinggroup.org/specs/TPM/ (not that I understand it!) Hence the Open Source community needs to develop its own software implementation in order to make use of the TPM without reverse engineering. This will be difficult without being a member of the TCG, as I suspect the specs are ambigious and difficult to read, but not impossible.


(These are interesting points, thanks for the response)

Clive RobinsonMay 29, 2008 10:23 AM

The real problem with TPM is total lack of transparacy to or control by the user therefor they cannot trust it (by definition).

In it's current form you as the computer user have to blindly trust the TPM manufacturer / owner or compleatly forgo any of it's (supposed) benifits. Basicaly it's an all or nothing senario currently although technicaly there is no real reason it should be (side channel issues permitting).

When the current form of TPM is active you can not run any other code other than that signed by the TPM owner. So you cannot (in theory only) examine what is happening on your system nore can you prevent signed code from doing what it pleases.

Further when DRM and TPM are tied together which is the most likley senario then you can nolonger own anything on your computer just borrow it at the whim of the owners of either the DRM system or any other paid up member of the TPM owners clique.

Allthough TPM does have some advantages the industry is never likley to be in a postition where you as a computer owner will be able to dare risk using it your liability would be way to high.

One of the many scary aspects of the current TPM is it's functionality as the "ultimat roorkit". That is the ability of the TPM owner or one of their clique to almost invisably re-write history.

This is simply by denial of access to, the replacment of or the creation of false data in a way that you the user have no control over, and potentialy have no way to prove is / has happened.

As we move into the true "digital age" just about everything will be in digital form mostly on fully mutable storage. TPM will prevent you ever getting real low level access to the storage so you will not be able to show that what you thought you had was now gone (except possibly by meta evidence).

Further you will not be able to show it has been changed even if you have a hard copy as who will belive you, it will be easier for them to belive you have forged your hard copy.

Even if the storage is not mutable it may well be impossible to get access to the real data stored on it. As the TPM program can chose under direction of it's owner (not you the user) to not register it at the presentation or lower layer in a way that alows you to be aware of it's existance.

PaeniteoMay 29, 2008 10:40 AM

@Clive: "In it's current form you as the computer user have to blindly trust the TPM manufacturer."
Which is true for every single piece of hardware out there, not just a TPM.

"When the current form of TPM is active you can not run any other code other than that signed by the TPM owner."
Which is wrong.
You may be talking about some ways that Microsoft considered when planning their Palladium infrastructure.
But please inform yourself about what a TPM can and cannot do. It simply has no capability to prevent code execution whatsoever.
An operating system may choose to terminate applications that it cannot verify by TPM, yes.

"One of the many scary aspects of the current TPM is it's functionality as the "ultimat roorkit"."
Even more FUD. TPM has no functions to hide applications on your system or for anything else that is commonly attributed to a 'rootkit'.
Again, you might have chosen to install an operating system which allows these things.

Blaming TPM for software abuses is like blaming Intel/AMD for the capability that their CPUs can execute viruses.

If you don't want that your OS abuses a TPM to do things that you don't like, then, by any means, install a different OS..!

KaukomieliMay 29, 2008 11:05 AM

Rant:

I happen to be the owner of an notebook with TPM (dell latitude d630). It was meant to work in conjunction with the fingerprint reader so I could use full-disk-encryption with preboot-authentication.

I decided to test this thing before reinstalling with FDE and it turned out to actually decrease security. Not only would even a good swipe sometimes return a "user not found", when the system starts up the default setup was to login automatically (what about getting coffee while booting up?). The password-safe was open all the time, allowing to "fill in and go on" for everyone with access to my notebook (usually it is locked when I am not there, but even I forget this sometimes...).

But the best part is, that the logon-dialog does not allow fingerprint-authentication when ctrl+alt+del is pressed to quickly after the instruction to do so appears. The chip-response-time is horrible, etc. etc.

TPM is not ready for the market - and as the goal is not security-for-the-customer this will not get better.

Thanks for staying with me - and stay away from Dell notebooks with fingerprint readers.

2selloutMay 29, 2008 11:29 AM

Most commercial security is just a sellout game, like an auction.
Follow the money incentives.
Follow the power deals and potential for whatever.
Follow the yellow brick road. Or is it the green road? Was the castle silver? What about them poppies?

TPM to end Piracy? Piracy to end TPM? A little flip, a little clip, and off we go, just like alcohol during the Prohibition era!

alanMay 29, 2008 11:47 AM

Bushnell should know better.

Back in 80s, when coin-op video games were king, they used a similar system for preventing piracy of video game hardware.

It did not work.

Physical access to the hardware will beat any form of copy protection every time, given time and desire.

He should know better.

John CampbellMay 29, 2008 12:12 PM

TPM has been waved around as a way to enforce digital "rights"... but the question that those trying to sell it to us try to avoid answering is "for who?"

The next big Windows will probably be married to the TPM chip (to ensure that the copy you are running is correctly licensed, probably) in order to ensure that you cannot install Linux on the hard disk (or make it as difficult as possible for the "regular Joe"). That it will also be in bed with the big Studios and Record companies is a given.

I can almost see this being legislated to make sure that "terrorists and child pornographers" can be traced.

Every step to "increase security" only increases the security of the current "powers that be" rather than to the society as a whole.

That fence people want to build along the Mexican border may be very good at keeping us *in*, too, you know. Talk about multi-use technology...

a.May 29, 2008 1:00 PM

If that encryption actually worked, US government would not allow it to be sold. So if they allow it to be sold, there is an easy exploit and a government backdoor.

AlanMay 29, 2008 2:49 PM

In effect, the TPM is just like a USB security key, except it is soldered onto the system board instead of being plugged into the USB port. It has a public/private key pair, password-protected storage registers, some internal cryptographic functions, and an API. In most machines today it is sitting idle. There are a variety of useful things the computer owner might decide to do with it, just as you might find a reason to buy a USB security key.

Once someone "takes ownership" of the TPM (by setting a password through the API) they control the TPM. They can then store secrets in the TPM that cannot be accessed without the password. Those secrets can be used (internal to the TPM) to verify hashes of software, signatures, handshakes, etc. Even with possession of the password, the private key cannot be extracted through the API.

The TPM is not evil. It is possible for the operating system to use the TPM in ways not in the owner's interest. If Microsoft does that kind of thing, just don't buy their operating system. There are alternatives.

Jeff MossMay 29, 2008 3:07 PM

not a.,

RIM is a Canadian company, what they did is not secret, that it was possible is not a secret, and there is no backdoor. RIM is sharing certain keys due to a business decision, not a secret spy intervention.

Do you think the "US Government" is so on the ball they have their fingers in every possible application that uses crypto? That they can somehow prevent the release of these products if they are secure, and not have the developers cry fowl or sue?

SumDumGuyMay 29, 2008 4:31 PM

There seems to be some confusion between what a TPM does and what someone can do with what a TPM does.

Ignoring the ideological issues regarding what someone can do with a TPM -- for good or bad, it seems to me that TPM is doomed to fail because any software built on TPM is only as secure as the software's own bugs.

In other words, the fancy DRM schemes and the fancy anti-malware schemes all fall apart if any of the software in the chain of trust, even just incidentally in the chain can be exploited to do things unintended by the authors.

For example - take the infamous firewire hack - the memory on just about any PC with a firewire port can be accessed directly via DMA transfers to and from firewire. So a "secure" OS that has been authenticated via TPM-based protocols can be modified in place to do new and surprising things and short of spending literally every available cpu cycle scanning through RAM to see if the OS's cryptographic signature has changed, nothing on the TPM-enabled system would be able to tell that it had been compromised.

KanlyMay 29, 2008 6:11 PM

> Game companies are rather stupid, especially when it comes to copy "protection"

I always get the No-DVD crack - yes - for the games I buy. Otherwise these idiots expect me to keep their DVD stuck in my DVD drives, risk scratches when I swap it, losing it, etc. It's pure idiocy, and the only people it hurts are the legitimate users. These schemes are getting more and more complicated - they now ban virtual drive programs - which are themselves very useful. But the crackers always crack it.

Very few game companies have woken up to this: Oblivion and Sins of a Solar Empire who said (summarized) "Let's ignore pirates and go make a great game people will want to buy"

Meanwhile Microsoft sits around inventing pretty skins and more DRM for the next version of windows: Idiots.

2buildexploitsMay 29, 2008 9:33 PM

To Jeff Moss @ 3:07 reply, re: US goverment or other powers, on the ball backdoors crypto. My answer: yes. History of lots of crypto being [ fill in the whatever ] Tons of flawed code. 'Word is,' don't write great crypto or get pressured, easy in todays world. Good crypto code is worth a lot, people do pay $.
Software crypto runs in a quicksand environment, ie, it sucks. NSA stated policy is that not worried about it.
TPM has some weird things with how it really works on some laptops. Got to be some interesting exploits...but with the DMCA and all the heat around TPM, not much real talk.
You got to love the LACK of paranoia here, very telling...
Good intel collection...todays blog world. Very telling indeed.

HW hackerMay 30, 2008 5:47 AM

@Supporter

CSS is not on its own illegal. The secret keys with CSS is (in the USA anyway).

TPM needs keys. To get your key signed for say a bluray player in linux is going to cost more than free. To add to this all applications that are running need to be "safe" ie. verified OK BY M$/Sony/etc to have running at the same time when you watch a bluray disk. Linux itself will need to be signed so that its considered "safe". Again this sig will not be free.

Putting in your own keys etc is worthless for a normal use computer for this sort of thing. Unless its the keys that you need for the bluray disk. The disk is a coaster.... THESE KEYS ARE NOT FREE. Permission to use these keys is not free. And even after all that the TPM can refuse provide the session keys because something else is not signed/approved.

I cannot even do a virus scan on what sony/M$ decides they need to install (aka sony rootkits). Trusted computing is about M$/Sony etc trusting your hardware to do what THEY tell it to do. Or ELSE. Read the fine print in M$ media player!

That is not an improvement in security. Pointing out that security is hard without TPM is not the same as saying TPM improves over the status quo. Thats a straw man.

Now lets get to the real crazy part. The individual TPM chip can be identified. When you buy a movie from say Disney its *signed* to *that* chip. It won't work on a different machine.

Lets not forget the privacy implications as well.

Clive RobinsonMay 30, 2008 7:57 AM

There appears to be some confusion about TPM and how to look at it. Broadly there are four basic normal use "TPM" viewpoints,

1, Hardware : just the chip and it's capabilities.
2, OS-designer : designer of a TPM-OS
3, App-designer : designer of apps to run on TPM-OS.
4, Normal User : who has a TPM-OS with TPM-Apps installed.

There are additional view points such as that of a person researching TPM and DRM systems however they are not what would be considered "normal use" viewpoints.

After the implementation of a mass market TPM-OS and TPM-Apps the majority view of TPM-System will be that of the normal "users" (4). Which will be based on what problems the overall TPM-System causes them, the ordinary user will not see any benifits of TPM-Systems, only problems.

This is becauses when a TPM-System is running correctly it should be "invisable " to the user, in the same way as DNS and routing protocols.

On re-reading my earlier post (at May 29, 2008 10:23 AM) I realise I did not make it clear which view point (4) I was arguing from.

In mitigation ;) I will blaim the fact that I was posting from a mobile phone whilst waiting in a hospital for minor surgery.

Curiously in the UK Hospitals appear to have given up the battle on mobile phone use 8) but saddly not on laptops yet 8(

@ Paeniteo,

"@Clive: "In it's current form you as the computer user have to blindly trust the TPM manufacturer."
Which is true for every single piece of hardware out there, not just a TPM."

First off you did not quote me correctly you left the "/ owner" off, and secondly what you say is not quite true in a TPM-System.

In a non TPM-System a user can load or enable additional software as and when they see fit. If sufficiently knowledgable they can even "roll their own", in a TPM-System this will be at best problematical (ie they will have to follow the route laid out by the "chosen few / clique").

Further if the software is to help diagnose problems (say Soft-ICE at one end through to Dr Watson at the other) it will most definatly have to be approved by the TPM owner (ie the OS in current TPM systems) before it is allowed to execute.

The whole point of TPM from the viewpoint of "OS wide DRM is an absolute necessity" is to stop the use by others than the "chosen few" of software that runs at a sufficiently low level it would enable the DRM to be examined / circumvented.

If you take the viewpoint that "content is king" then the viewpoint of the main "content" providers will dictate the direction of the design of a TPM-OS that the "content" will be allowed on by it's providers.

Therefore if the TPM Manufacturer does not fully disclose the API except to the "chosen few" then "clean room" "reverse engineering" will not be possible. Which has been the route used in the past by some device driver writers who were not part of the manufactures "chosen few". Also the same route for those developing VMs and emmulators such as WINE etc.

The above covers most of your points in that you are looking at the "hardware level" and I was looking at it from the viewpoint of a user of a TPM-System.

Which bings me on to your final comment,

"If you don't want that your OS abuses a TPM to do things that you don't like, then, by any means, install a different OS..!"

That sadly is an argument equivalent to "If you have nothing to hide you do not need secrecy".

As Bruce once pointed out on this blog he uses a Microsoft Operating System and various people gave the "yah boo sucks" response. To which Bruce and others gave valid reasons as to why they had to use MS OS's which boils down to,

Often your chocie of OS is dictated by the application you wish to use or the wishes of others for such important reasons as compatability.

@ALL

At the hardware level TPM fully outside of the CPU is an "evolutionary dead end" for things like DRM.

This is because it will always be possible to find ways around it by sufficiently skilled people, often with quite minimal resources as has been demonstrated on more than one occasion with games consoles.

Further even if TPM is fully in the CPU, if the system memory (RAM / Cache / Storage) remains outside and it's contents are not uniquely encrypted for the particular CPU then it likewise will be possible to find ways around it.

Even then I suspect it will always be vulnerable to various attacks due to the use of poor crypto (ie week algorithum or bad implementation) or to "side channel" attacks that will reveal "secret information" such as session keys etc.

The reason that usable "side channels" will always be there in mass produced equipment is quite simple due to there requirements on "efficiency" with respects to "utility and resources".

To build an system without the potential for side channel use means that you have to reduce the potential bandwidth of any side channels (known or unknown) below that which "secret information" could be passed in a usefull time frame (the effective life of the product for consumer equipment).

The measures required to do this have two downsides,

1) they impose such significant restraints on a system that it is functionality is inversly proportional to it's utility (that is it only works for single use products with extreamly limited utility and interfaces such as crypto equipment)

2) they mandate the use of resources vastly dispreportionate to the systems purpose (that is the cost is so high it can only be justiffied for specialised high security applications).

Both of which are not going to happen in mass consumer items without draconian incentives (ie legislation).

SupporterMay 30, 2008 9:02 AM

@HW hacker

> TPM needs keys.

The TPM has a single endorsement key signed by the manufaturer. The TPM can be used to store additional keys and is also able to create its own keys.

> To get your key signed for say a bluray player
> in linux is going to cost more than free.

This has nothing to do with the TPM. This is an application level issue. As has been argued in this thread, one would hope content providers start providing content without DRM restrictions, they don't work and they annoy legitimate users.

> To add to this all applications that are running
> need to be "safe" ie. verified OK BY
> M$/Sony/etc to have running at the same time
> when you watch a bluray disk.

Again this is an application level issue. Moreover, personally I can envisage a situation where every application runs in its only virtual space, hence to avoid the issue you describe you can simply run multiple virtual spaces.

> Linux itself will need to be signed so that its
> considered "safe". Again this sig will not be free.

Sorry, you have lost me again. What do you mean by signature? The TPM can assert to the system's software configuration. Obtaining this value is free. Whether someone (i.e. Sony) is willing to trust such a platform is another question.


> That is not an improvement in security. Pointing
> out that security is hard without TPM is not the
> same as saying TPM improves over the status
> quo. Thats a straw man.

TPM has some advantages. TPM has some disadvantages. Therefore TPM does improve security (in some instances).

> Now lets get to the real crazy part. The
> individual TPM chip can be identified.

Yes, the TPM endorsement key is linked to the individual chip.

BUT, the Direct Anonymous Attestation (DAA) protocol allows the user to authenticate to Disney as a trusted platform, WITHOUT revealing the identity of the individual chip - hence whilst preserving privacy.

Again, this is an application level problem. Disney have the right to demand your identity (by TPM key or by credit card), it is your choice as to whether to use these services.

> When you
> buy a movie from say Disney its *signed* to
> *that* chip. It won't work on a different
> machine.

Again, application level issue. Disney could do it that way. Or disney could do it another way (which you clearly would prefer).

> Lets not forget the privacy implications as well.

DAA attempts to solve them.

SupporterMay 30, 2008 9:19 AM

Clive Robinson wrote:
>
> There appears to be some confusion about TPM and how to look at it.
> Broadly there are four basic normal use "TPM" viewpoints,
>
> 1, Hardware : just the chip and it's capabilities.
> 2, OS-designer : designer of a TPM-OS
> 3, App-designer : designer of apps to run on TPM-OS.
> 4, Normal User : who has a TPM-OS with TPM-Apps installed.

I think this is a key point. The TPM is merely a hardware chip which is capable of a few operations:
* random number generation
* compute hash functions (SHA-1)
* generate keys
* perform encrypt/decrypt operations (RSA)
* limited storage space

At a slightly higher level we are able to derive the following functionality:
* memory curtaining
* sealed storage
* attestation

This functionality can allow all sorts of applications. Some of which are desirable, some of which are undesirable (from various perspectives).

Kadin2048May 30, 2008 9:34 AM

The major issue I have with the TPM isn't ideological but practical -- it requires far too much trust in the TPM manufacturer for my taste.

Alan (at 2:49) gave a good summary of what the TPM actually does. It's just like the USB security devices that you can buy, which contain a secret key buried in the hardware, and store whatever pieces of data you care to send them.

Except, of course, that if you read in the news (or here on Bruce's site) that a particular manufacturer of USB tokens did something foolish, or had a design/process flaw, you can just stop using the USB token, smash it with a hammer, and be on your way. Not so if you're using the TPM inside your laptop.

How do you know that the manufacturer of the TPM didn't keep a copy of your chip's secret key when the chip was made? How do you know they didn't just load in an arbitrary key of their choice? You don't know; you can't really ever know. That, to me, is a serious flaw. I'd much rather generate my own secret keys -- even if they're stored in a less-secure place, like on my hard drive -- and be able to control them, than trust some company to generate them securely. Big companies have a pretty poor track record of doing security well, and if TPMs ever came into wide use, it would be a pretty high-profile target.

AnonymousMay 30, 2008 10:06 AM

@Kadin2048
``The major issue I have with the TPM isn't ideological but practical -- it requires far too much trust in the TPM manufacturer for my taste."

You could of course build your own. Or buy from a manufacturer you have reasonable faith in. Or remove a TPM from a PC manufactured for someone else.

Since the end-user of a given TPM is unknown at the time of manufacture I have some faith.

JasonMay 30, 2008 10:23 AM

Prime example: Microsoft Vista

You cannot install unsigned kernel-mode drivers on the 64-bit version of the OS. Period. Not even if you are a local admin. They even removed the ability to turn the feature off via a boot flag.

You have to press F8 and select an option from the boot screen every single time you reboot.

To get "signed" by Microsoft, the driver creator needs to have a Verisign Certificate that is not free.

A tool designed to allow a user to test and install unsigned drivers (like the kind someone might be writing for his or her self) was classified by Microsoft as malware and Microsoft had Verisign revoke their cert (http://www.linchpinlabs.com/resources/atsiv/usage-design.htm).

So even if you play by the rules, if Microsoft doesn't like what you are doing, they can kick you out.

I cannot tell you if Vista uses the TPM hardware for this, but it is definitely a key player in the TPM master plan where DRM is king and all users are criminals.

HW hackerMay 30, 2008 11:06 AM

Thank you Jason.

The Stuff I have been talking about is ALREADY happening.

Its not "just" a chip. The "trusted" pathway stuff in vista TPM type motherboards is a lot more than just a Chip.

@supporter

What good is hardware if the only software has "application level issues" ? NONE.

Where is my legal DVD player for Linux? One I can pay for even? There isn't one, and its not a @#$% "application level" issue. The same groups that don't license that are the same people designing and pushing TPM. Since you are pushing it so much I must assume you are somehow tied up with it.

Increasing complexity does not increase security.

Mark my words. The hacking community will be needed before this blows over.

False DataMay 30, 2008 11:08 AM

In his 2005 post, Bruce wrote, "This sounds great, but it's a double-edged sword. The same system that prevents worms and viruses from running on your computer might also stop you from using any legitimate software that your hardware or operating system vendor simply doesn't like. The same system that protects spyware from accessing your data files might also stop you from copying audio and video files." I see many of the same sentiments echoed here.

It strikes me that this concern really gets at a property rights issue, a legal and social policy question, rather than a technical one. It's a question of how much control do you have, and how much do others have, over something you regard as "yours".

There are certainly techical issues here, too, such as how secure TPM really is and whether it introduces the potential for unexpected vulnerabilities or instabilities, such as DOS attacks, but as I skim through the comments most of what I see focuses on the legal and social policy area.

The distinction is important because trying to fix a legal problem by adjusting a technical solution, or vice versa, can be like trying to drive a screw with the wrong hammer.

2happensMay 31, 2008 10:55 AM

Recent news on Satellite hacking, sure sounds like essentially the TPM/DRM game. See wired.com, Satellite hacking, NDS. Interesting article.
Many want to push the internet/computers/content like the Sat industry. Grr, ugly.

PKSJune 4, 2008 7:57 PM

Look, we already have nearly a TC model with video game consoles. How many times have the supporters of a proposed tech oversold it's capabilities? This will be broken or spoofed somehow, and just because I can't see how to do it, doesn't mean it doesn't exist.

TC will no more end piracy than household door locks will end burglaries.

OldGreyWiskersJune 15, 2008 7:27 PM

What is the impact of TPM (Trusted Platform Module) for the squashing of viruses and the debugging and design of systems. If a virus author had the 'key' to a variety of TPM protected devices could the code hide behind that trust?

How much more difficult is it to design ''TPM" hardware. An end to end simulation including timing analysis must be able to simulate this all and it is already very difficult to design modern new generation hardware.

At one level I wonder if this is the deep pocket hardware and software vendors taking the small vendors into deeper water simply because they can.

marcusJune 16, 2008 4:47 PM

Every security technology touches political issues. This is unavoidable: Digital security is all about controlling the flow of information, which creates or destroys power imbalances. The issues in distribution of power is the definition of politics.

It is extremely easy to pinpoint the difference between the "neutral" and the "bad" aspects of the TPM technology. Every feature of TPM that requires a secret in the chip that the user of the computer must not know is "bad". Every feature which works also if the user knows the secret is "neutral". For example, hard disk encryption is "neutral", as the user can be allowed to know the key used for encryption. Remote attestion is "bad", because the user can fake attestion for any configuration if he knows the secret on the chip.

In political terms, by denying the user knowledge over the secret key stored on the TPM chip, the creator of the TPM chip creates a power imbalance: The users are denied the power of knowing the key. This power is centralized in the signing authority which signs the secret keys on the TPM chips for attestation purposes. The user of the machine has only disadvantages from that.

People who hide these differences in the discussion and talk about the TPM chip as one single technology that comes in one package are lying by omission.

Luckily, remote attestation will not work for practical reasons: The PC platform is too diverse to allow certifications of all possible configurations. Remote attestation will work best in situations where it does the least amount of damage: In 1-on-1 relationships such as B2B where both parties involved have at least some negotiation power.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..