Announcement

Collapse
No announcement yet.

Intel's Baking TPM 2.0 Support For Linux

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Intel's Baking TPM 2.0 Support For Linux

    Phoronix: Intel's Baking TPM 2.0 Support For Linux

    Jarkko Sakkinen of Intel has published his revised patch series for providing Trusted Platform 2.0 (TPM2) support for the Linux kernel...

    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite

  • #2



    This is going to be used for windows lock-in from 2015, to prevent alternative OS. Enjoy....

    Comment


    • #3
      Originally posted by brosis View Post
      Ummm,,, no, just no. A TPM if present must be configured in a particular way. I don't see anything there that says a TPM must be used. Point to the specific place if you think I'm reading it wrong.

      Anyways how else can you verify the code you are actually running is the code yo wanted to run without being able to confirm the firmware, boot-loader and kernel chain?

      Comment


      • #4
        Originally posted by brosis View Post
        This is going to be used for windows lock-in from 2015, to prevent alternative OS. Enjoy....
        Maybe, but there are other features that are extremely useful. For example, you can store private keys in a secure, tamper-resistent location - like a smart card built in to your computer.

        Comment


        • #5
          Originally posted by OneTimeShot View Post
          Maybe, but there are other features that are extremely useful. For example, you can store private keys in a secure, tamper-resistent location - like a smart card built in to your computer.
          Fully correct. Its like a gun. But the question is - who is using that gun much more often and in which direction. Then we can talk if the weapon is actually more mis-used, than used. Many people left Vista for Linux exactly due to Palladium/TPM project.

          If this chip wouldnt be used to strip user of rights or damage free software, then it would be perfectly awesome. But this is not the case.

          Comment


          • #6
            Originally posted by WorBlux View Post
            Ummm,,, no, just no. A TPM if present must be configured in a particular way. I don't see anything there that says a TPM must be used. Point to the specific place if you think I'm reading it wrong.

            Anyways how else can you verify the code you are actually running is the code yo wanted to run without being able to confirm the firmware, boot-loader and kernel chain?
            It is configured ("locked") at factory.

            To answer your second question - Coreboot with signed images, keys stored on flash media, compared with master over time. But this is not acceptable, because it would not work for factory-side lockdown. This is strawman argument.

            Comment


            • #7
              TPM not trustworthy against governmental surveillance

              My motherboards all have TPM sockets, but nowhere can I get a TPM that is itself trusted to plug into them! I have to expect that if Im put my disk encryption keys into a TPM made in any contry allied to the US, that at least the NSA and possibly the Secret Service as well can gain access to the keys. Thus, no ability to use TPM as a primary defense against "evil maid" keyloggers or BIOS tampering by anyone supported by the US government.

              Some years ago, there was a court case that turned on computer evidence the defendant thought was safely locked away behind an ATA security set hard drive password. Turned out the FBI has some way to bypass that given to them by the hard drive maker, and was able to bypass it almost instantly. Had this not been so, the prosecution would have had to try data recovery by "scraping the platters," which would have taken a lot more time, maybe more than a backed-up "crime lab" would have had available for the case in question. Since we cannot prove that TPM modules do not include preinstalled extra keys owned by the government, we cannot prove this is not also true of the TPM.

              Now a question: does anyone know of a way to keep your own keys in a TPM after signing your firmware, bootloader, kernel, and initramfs with them that would work even if the government has a backdoor into the TPM? Is there anything in how a TPM works that would not only make NSA keys irrelevent to self-signed software but also stop anyone from getting to your keys as though the TPM was just a flash drive with keys written to it and left in the USB port?

              Comment


              • #8
                Originally posted by Luke View Post
                Now a question: does anyone know of a way to keep your own keys in a TPM after signing your firmware, bootloader, kernel, and initramfs with them that would work even if the government has a backdoor into the TPM? Is there anything in how a TPM works that would not only make NSA keys irrelevent to self-signed software but also stop anyone from getting to your keys as though the TPM was just a flash drive with keys written to it and left in the USB port?
                If you want a guarantee you will need to design and fab your own TPM. You may be able to do something interesting with an FPGA although I don't believe you could make it fit into a motherboard TPM socket, and it also wouldn't have the tamper resistant features.

                Comment


                • #9
                  Originally posted by Luke View Post
                  Some years ago, there was a court case that turned on computer evidence the defendant thought was safely locked away behind an ATA security set hard drive password. Turned out the FBI has some way to bypass that given to them by the hard drive maker, and was able to bypass it almost instantly. Had this not been so, the prosecution would have had to try data recovery by "scraping the platters," which would have taken a lot more time, maybe more than a backed-up "crime lab" would have had available for the case in question. Since we cannot prove that TPM modules do not include preinstalled extra keys owned by the government, we cannot prove this is not also true of the TPM.
                  Child pornography? Drug production? Weapon smuggling? Human trafficking? Just curious.. Also the term "surveillance" is not appliable to TPM, TPM is for data protection - as it is manufactured on commercial basis, companies will be forced to provide government access in any case, in any country on this planet. This is government - and those are commercial companies paying taxes, after all.

                  Comment


                  • #10
                    Yet another technology we can?t trust?

                    Comment

                    Working...
                    X