TPM (was: Broken dream of mine :()

[olafBuddenhagen]

Hi,

On Mon, Sep 21, 2009 at 03:57:26PM +0100, Sam Mason wrote:

> Yup, I wasn't trying to protect against the admin.  Just noting that
> it will help to tell them when things are getting out of date.

If you trust the admin not to be actively hostile, you don't need a TPM.
Normal software is perfectly sufficient to check for outdated stuff,
unless the admin manipulates it on purpose.

> But you can't be sure that a remote attacker hasn't put a rootkit in
> somewhere.  AFAIU, TPM should allow you to detect this.

TPM doesn't really protect against security being compromised. All it
does is guarantee that certain components haven't been modified -- but
if the unmodified components were secure, the system couldn't have been
compromised in the first place...

(It can make it harder for a rootkit to hide across reboots -- but I'm
not convinced that this results in a major security win.)

> I personally think that the media's perverted use of TPM has colored
> most peoples' viewpoint of it.  There was a lot of good research that
> went into it and it seems like a waste to throw it all away just because
> the use that people initially heard about is particularly horrible.

The way vendor keys are managed clearly shows that the whole
infrastructure has been designed for the "particularily horrible" use
cases.

-antrik-