Re: Broken dream of mine :(

[Michal Suchanek]

2009/9/21 Sam Mason <address@hidden>:
> On Mon, Sep 21, 2009 at 04:00:58PM +0200, Michal Suchanek wrote:
>> 2009/9/21 Sam Mason <address@hidden>:
>> > The point I was trying to make is that this doesn't work for "the
>> > whole internet".
>>
>> Well, this was discussed to death on another list (grub-devel).
>
> Any pointers?  I found a couple of discussions, but they didn't look
> very interesting.

It's not like discussions about TPM are particularly interesting.
There are people who want to use it and people who realize there is
very little benefit really so they are quite indifferent. And then
there are people who strongly oppose the technology for political
reasons. The discussion between the first and third group can go on
endlessly.

>
>> The
>> admins typically do have physical access, and physical access makes it
>> possible to launch quite a few attacks that are feasible with
>> resources a system administrator would typically posses (spare
>> hardware parts, digital voltmeter).
>
> Yup, I wasn't trying to protect against the admin.  Just noting that it
> will help to tell them when things are getting out of date.

You can send them an email or show a warning message on the terminal
until they upgrade without any need for TPM.

>
>> If you really want to protect against that you *need* physical
>> security. And if you do have physical security you have to do the
>> administration yourself anyway so the system need not protect against
>> an administrator.
>
> But you can't be sure that a remote attacker hasn't put a rootkit in
> somewhere.  AFAIU, TPM should allow you to detect this.

As should any other comparison with previous checksums which can be,
for example, stored on a readonly boot media together with a
bootloader that checks them.

>
>> On the other hand, a TPM based verification is enough to lock out an
>> average Joe User out of his computer.
>
> I'd agree, I'm struggling to think of any use cases outside of high
> assurance that would want anything to do with TPM.  But why does it

It doesn't give high assurance. It only gives assurance in combination
with physical security in which case it is just one of many options,
and not particularly appealing.  You have to rely on the TPM
manufacturer quite a bit because the devices come as blackboxes with
unknown internals.

> matter, in the above case the machine would just go into a loop when
> logging into the network and the admin would realize and intervene at
> some point and reimage the machine.  The normal user wouldn't be trying
> to log into a network that cared and hence wouldn't be any the wiser
> that anything was amiss.

Then netboot the machines. No need for reimaging and users staring at
broken machines.

>
> I personally think that the media's perverted use of TPM has colored
> most peoples' viewpoint of it.  There was a lot of good research that
> went into it and it seems like a waste to throw it all away just because
> the use that people initially heard about is particularly horrible.

The TPM specification was developed for drm although it allows other
uses. The problem is that in its current state TPM devices aren't
particularly useful for anything. Statistically, they would provide
good enough protection for media drm because only a small percentage
of users would resort to hardware hacking to get at the media files.
There is no need to rely on hardware, though. Even with software
protection few users resort to hacking to get at the media files for
which they bought the playback rights.

Thanks

Michal