Re: Broken dream of mine :(

[Sam Mason]

On Mon, Sep 21, 2009 at 12:19:05PM +0200, Michal Suchanek wrote:
> The problem is that if you get a version of either kernel that does
> not lie to the process, and you can verify that with some scheme
> involving TPM or similar you can now make application that refuses to
> run unless it has access to true opaque memory.

I thought the point of TPM was that the kernel can't lie, or rather if
it does then you can trivially find out that it has.  You end up getting
a signature of the programs in the TCB and hence you can allow your
code to run only if you know that this set of processes are known to be
"good".

> The problem with drm is not that opaque memory can be created, you can
> just have a key store in the Linux kernel and it may be secure enough
> for drm purposes.

DRM is a bit of an abuse of the whole TPM thing; more acceptable uses
(to me anyway) involve running a cluster of HPC boxes that you want to
keep control over.  TPM can be used to ensure that they're only allowed
to join the network if they are running "good" software and hence you
can trust that you're getting the right answers back.

> The problem is that by social engineering a group
> holding substantial share of resources that the users want to access
> may coerce them to use a version of the system that makes the opaque
> memory really opaque for all practical purposes. Then the technical
> conditions in effect are no longer controlled by the user.

Yup, like any technical feature it can be abused as well as used.  The
opinion here has always been that the abuses are worse than the good
uses and hence this sort of thing shouldn't be allowed.  I'm less
certain.

-- 
  Sam  http://samason.me.uk/