Re: TPM support status ?

[Vladimir 'phcoder' Serbinenko]

> Since the BIOS can be "easily" replaced, it cannot be trusted, hence you
> can't build a chain of trust starting from your BIOS. It is a "little"
> more difficult to replace a TPM, even more if it's holding a shared
> secret. :)
Write wire? Concrete around the chip? Concrete is more resistant than
silicon as last studies have shown.
>>
> I completly agree with the first part, but you twisted the ending. :'(
> I trust an open-source software, because I can see the source code (uh,
> wait! what if I can't trust the compiler!).
It's a known attack (and there are ways to detect it).
> I keep trusting it because
> the TPM tells me it hasn't been altered on my computer by nasty people.
>
Suppose even that TPM or XYZ can ensure software isn't tampered at
all. Attacker can alter your hardware instead. It just changes the way
your computer is attacked, not the result. As a matter of fact
hardware attacks are now more widespread in these considerations.
>> TPM claims to e.g. protect your hd encryption keys. But what a hacker
>> would do is to boot computer, wait that it retrieves the keys and then
>> execute cold boot attack (in most cases it's enough to just cool RAM
>> down and reboot with a USB key which will dump the memory). I don't
>> spend my time on implementing a "security" which increases hacking
>> cost by $15, claims to be unbreakable and can be used for evil
>> purposes (in which case it's more difficult to crack)
>
> Uh, wait! There's something I don't understand there. What's the point
> in puting the whole secret in the TPM? It's like writing your passphrase
> on a paper and put it under your keyboard. A clever implementation would
> be using the ownership capabilities of the TPM so that the secret can be
> protected by system integrity _and_ password.
Then I wait that you enter you password and leave machine unattended
and execute my cold boot attack. If you never left machine unattended
you don't need a chip to ensure the integrity.
>>> This chain of trust is useful for people that have to work with a
>>> computer and data in an untrusted environnement, and that's how and what
>>> it was designed for.
>> Then this design is fundamentaly flawed. You just can't trust hardware
>> in untrusted environment.
>
> This is what the TCPA is trying to solve. Not an easy question, but TPM
> is a good begining imho (invalid the Stoned attack scheme for example)
>
When they provide a way to do so I would like to look at it. The only
way I'm aware of is to put computer in 10^n tones (n being a security
parameter) of concrete but it's pretty much a "safe" environment. Till
they don't I consider it a non-security. And even if they do freedom
concerns remain.


-- 
Regards
Vladimir 'phcoder' Serbinenko

Personal git repository: http://repo.or.cz/w/grub2/phcoder.git