Re: TPM support status ?

[Vladimir 'phcoder' Serbinenko]

> Technical measures can never decide who, morally, "owns" a computer.
I agree. Anyone who can open the computer can make it do whatever he
wants too. It's possible to increase the cost of such operations by
all kind of obfuscation schemes. If a cost to make a laptop behave for
the thief is bigger than the cost of the laptop noone will steal one.
To achieve this some kind of hardware secret (which needs to be
figured out for operating laptop) or watermarking (or visible
engravings) should be enough, no need for TPM. The last one in this
case is actually of no use - it can replaced with a new chip.
All the software can protect is the data. Just encrypt your data with
your password. Some people say "with TPM I don't need to enter my
password". If you don't want to, buy a small USB stick and put the key
on it and attach it on your keychain. This way you keep the key and
not TPM manufacturer.
> It's why I still have set an unrestricted boot
> option on my computer (without access to my personal-data encryption
> password of course - it's in my head)
I made the same decision.
> *some options:
> - Lock down not very much at all: Let anyone boot a CD, or even log in
> directly as root, or at least replace your hard drive.  Allowing only the
> former probably makes you safer from someone lazy grabbing your computer out
> of your hands and deleting your files in a stroke of anger; adding some
> time/practicality delay that's still much less than the nuisance of
> replacing hardware can be an okay compromise.

Someone who wants your data to be gone would just destroy the HD.

I mostly agree with the rest of the mail just there is an additional
usecase which is remote booting
> - Lock down via open chain of trust: Coreboot, and so forth, verifying
> signatures.  Booting a CD, and removing/modifying/replacing your hard drive,
> neither will allow the computer to boot something different. Different
> software can happen if "attacker" figured out how to physically replace your
> BIOS.  This is claiming ownership of your computer for as long as it remains
> your computer (or until someone steals your personal passwords or personal
> crypto-keys).  It's open design, but it's worth noticing that by choosing
> even this, you are still trying to using technical measures to decide who
> owns a computer... it just gets less 1984-esque when someone does decide to
> replace your computer's BIOS (they can use a standard chip rather than a
> horrible hack discovered by black hats)... This choice might be a good one
> to use in airplane cockpits.
> - Lock down via proprietary crypto chip (TPM).  Different software can
> happen if "attacker" figured out how to break into your TPM, which is
> actually quite possibly easier, not harder, than replacing hardware because
> the TPMs are closed systems that don't disclose their design and flaws...
> This option is not safe from TPM manufacturers even if it does *seem*
> convenient and secure (considering how many PCs have TPMs these days).  This
> might be okay for airplanes because -Airplane manufacturers are big enough
> to negotiate with TPM manufacturers -Airplane control systems had better
> never function as ordinary computers for ordinary people! (-Isolating the
> risks in a smaller chip might be safer from electromagnetic effects; Except
> that you don't actually get reliability that way.  You can make every
> security measure here, and even TPM remote attestation, flawed, as soon as
> your RAM becomes unpredictable.  Not in a convenient way, but it should
> definitely be possible..)  Also, none of the airplane arguments really apply
> to small, non-life-critical systems.  If car manufacturers build PCs into
> the cars for people's enjoyment, the PCs should not be locked down; the
> critical circuits should use separate chips anyway, because it's just better
> engineering practice not to rely on a fast multi-purpose computer when you
> don't have to.
>
> I think, we need to be activists for open (e.g. Coreboot-based) security.
>  Fewer of its possible scenarios lead to dystopian circumstances.  Too many
> people expect and demand a logical chain of security for their computers
> (I'm not one of them, I don't want to lock down my laptop, as above).  I
> don't know if this chain of security is "useful" in an absolute sense, but
> it is nevertheless part of the struggle to make computers more open and
> understandable, including making people understand better the comparative
> role of TPM.  I believe this role is: a very badly implemented form of
> basically the Coreboot chain of things, plus a form of remote attestation
> that requires you (or anyone) to tech-battle the manufacturer to circumvent
> (or instead of battling, maybe you're an agency that can convince
> manufacturers to give you a backdoor. Money and slimy promises are good
> tools for this.).  I'm not sure, I might be missing something here -- what
> are you thinking about it?
>
> -Isaac
>
>
> _______________________________________________
> Grub-devel mailing list
> address@hidden
> http://lists.gnu.org/mailman/listinfo/grub-devel
>



-- 
Regards
Vladimir 'phcoder' Serbinenko

Personal git repository: http://repo.or.cz/w/grub2/phcoder.git