Re: Broken dream of mine :(

[Michal Suchanek]

2009/9/22 Sam Mason <address@hidden>:
> On Tue, Sep 22, 2009 at 12:09:44PM +0200, Michal Suchanek wrote:
>> 2009/9/22 Sam Mason <address@hidden>:
>> > On Tue, Sep 22, 2009 at 12:42:17AM +0200, Michal Suchanek wrote:
>> >> But it will break your system.
>> >
>> > No it effing will not and stop being so silly.  You choose whether your
>> > computer is going to run an OS that's going to surrender its authority
>> > to somebody else.  If not then anything we do won't matter anyway.
>>
>> I don't get the first sentence of the above paragraph. However, it
>> seems you are getting the wrong impression here.
>
> Yes, I mis-understood you.  I thought you mean that you meant that any
> introduction of TPM (independent of the OS you're using) will "break your
> system".
>
>> The TPM chip will not
>> break your system because you use it to lock yourself out. In that
>> case you break your system.
>
> But that's the whole point; I *want* to lock myself out of the system.
> If somebody breaks in and installs some malicious code then I want it to
> break in the most obvious way possible.  The admin then reinstalls the
> system and only when everything has been brought back to normal will the
> system will be allowed back into the network.

How do you actually check for malicious code?

This is quite hard, and on a typical POSIX system even a user program
can be quite malicious.

The drm scheme only needs to protect a particular key store and
integrity of a single application - the media player. This may be
feasible even on Linux.

On the other hand, making sure that none of your documents are
randomly sent over the network or overwritten  is hard, you can do
that with a shell script or similar on most systems.

If they were drm protected media files there is no harm to the
provider of the drm content, they can be still accesses only with the
right keys and the right system and player.

Different goals often require different tools.

>
>> However, if you rely on TPM for security and the module is in fact
>> broken you lose any security and can throw away your system. If you
>> rely on simple hardware measures (like flash write protection) and
>> write the rest in software then it's more likely that if anything
>> breaks it's the software and you can replace that. You can also verify
>> that a write protected flash is really write protected. Good luck with
>> testing a TPM really adheres to specification under all possible
>> conditions.
>
> Well, the converse is that you'd also have to verify "under all
> possible conditions" that a readonly flash is really readonly.  Quite a
> lot of motherboards these days will revert to a second copy of the bios
> and this could start breaking things.  Booting from the network is quite
> often set in the network card itself and this would be independent of
> the readonly state of the bios itself.  To be in this level of detail

Even considering these possible variables there is still much less to
check than with a TPM chip. You can also obtain information on the
construction of the flash chip so you should be aware of possible
pitfalls in advance.

It is also more feasible to get a custom BIOS than it is to get a
custom TPM chip.

Thanks

Michal