Forgot your password?
typodupeerror
Privacy Security Hardware

Ask Slashdot: Best/Newest Hardware Without "Trusted Computing"? 290

Posted by timothy
from the in-light-of-recent-events dept.
An anonymous reader writes "What is the best/newest hardware without trusted computing (TC) / Trusted Platform Module(TPM)? I am currently running ancient 32-bit hardware and thinking about an upgrade to something x64 with USB3, SATA3 and >1 core on the CPU ... but don't want TC/TPM. I have no need to run anything like Blu Ray movie disks or Microsoft Windows that requires TC/TPM or the UEFI boot process. Is anybody else still trying to avoid TC/TPM? What have your experiences been? Any pointers?" Worth reading on this front, too: Richard Stallman on so-called Trusted Computing,.
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Best/Newest Hardware Without "Trusted Computing"?

Comments Filter:
  • What? (Score:4, Informative)

    by Anonymous Coward on Sunday August 11, 2013 @01:19PM (#44536429)

    Don't buy a TPM module? Just because a motherboard supports it doesn't mean you have to turn it on... or am I missing something?

    • Re:What? (Score:4, Interesting)

      by Anonymous Coward on Sunday August 11, 2013 @01:30PM (#44536507)

      Even if you do turn it on, it only goes about doing what you ask it to do. You can use it to pull some random numbers from, for instance, and completely ignore the cryptographic functions. And neither UEFI or secure boot has nothing to do with TPM. That's completely separate and, on every x86/x86_64 machine I know of, able to be easily run in custom mode with your own keys (and noone else's keys), or disabled entirely.

      So if you're being paranoid about this because of fears about spying or remotely taking over your computer... Well, you're being paranoid. If you're scared of that because of TPM, you should be much more scared of that because of not having the complete specifications to rebuild the computer from a hunk of silicon..

    • Re: (Score:2, Funny)

      by Anonymous Coward

      Let me go scare him some more. Hey check this out: http://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Using_Intel_AMT

      *gets popcorn* ;)

      • by thejynxed (831517)

        Funny thing, I actually have that enabled on a few of my machines that I use for file storage, etc. Makes it easier to monitor/control them (with a few other tools) than what Microsoft offers on the consumer level.

    • Re: (Score:2, Informative)

      by Mashiki (184564)

      No you're not missing anything. Even UEFI can be turned off on nearly every motherboard out there, my mobo from my new build early this year has UEFI and I could turn it off if I want. Right there in the menu selections. Though most good consumer boards also support TPM as an option. As you said, just don't buy the module. Even the mid-range MSI board I recently picked up supports it.

      • Re:What? (Score:5, Informative)

        by SCPRedMage (838040) on Sunday August 11, 2013 @02:25PM (#44536777)

        Turn off... UEFI...

        The fuck? UEFI is a replacement for BIOS; "disabling" it would entail disabling your system's ability to boot at all. Likely what you mean is Secure Boot, which is an optional feature for newer UEFI systems that caused a bunch of stink with Windows 8.

        • They still have BIOS. If you turn off UEFI, you use the BIOS.

          • Re:What? (Score:5, Informative)

            by Microlith (54737) on Sunday August 11, 2013 @02:54PM (#44536945)

            No, you don't turn UEFI off. What you do is activate the CSM, which emulates older BIOS calls and maps them to UEFI functionality.

            • What you do is activate the CSM, which emulates older BIOS calls and maps them to UEFI functionality.

              Kind of, sort of. I have a server with UEFI running a recent Xen and its Dom0 can't access more than 2GB of RAM due to a lack of native UEFI support and the way that BIOS emulation is usually done.

              It's a bit of a rough patch right now.

            • Re:What? (Score:5, Informative)

              by tlhIngan (30335) <slashdot AT worf DOT net> on Monday August 12, 2013 @01:05AM (#44539579)

              No, you don't turn UEFI off. What you do is activate the CSM, which emulates older BIOS calls and maps them to UEFI functionality.

              Exactly.

              And it's been a long while since you could get a native BIOS motherboard - it's been (U)EFI since the Core series of processors were first released by Intel. Prior to this, Intel released both BIOS and EFI code for the processors. Since then, it's been (U)EFI only. It's just that since 2006 or so, by default the EFI boots into a BIOS emulator that gives you the BIOS you know and love.

              It's only in the past 2 years or so has the actual UEFI interface been accessible to users (other than through an Apple Mac, that is). Intel has provided EFI code since the turn of the millennium, as well, so it's actually older than you think.

              Initially, Apple's Boot Camp utility installed the BIOS emulator on early Macs because they shipped without it and thus couldn't boot Windows. Later Macs have it baked into the firmware and you can just boot it directly. Hell, Apple even slipstreams the drivers into the OS image now so you don't have to install afterwards.

              Linux has supported EFI boot since I don't know when. IA-64 (Itanium) definitely, but it got ported to x86 a long while back too. Of course, you could really only use it on a Mac until recently...

        • Re:What? (Score:4, Insightful)

          by Mashiki (184564) <mashiki@gmai l . c om> on Sunday August 11, 2013 @04:05PM (#44537331) Homepage

          I must be getting old. I actually remember a time when /. had at least somewhat technically savvy people.

      • Re:What? (Score:5, Insightful)

        by Alsee (515537) on Sunday August 11, 2013 @03:06PM (#44537001) Homepage

        No, it's you missing something.

        just don't buy the module.

        THAT IS EXACTLY WHAT HE'S TRYING TO DO.

        A lot of computers are now being shipped with TPM's SOLDERED onto the motherboard, and they are making progressing on packaging the TPM inside the CPU chip.
        He doesn't want to buy that crap, I don't want to buy that crap, and the problem is that a lot of people are buying that crap without knowing it. The Trusted Computing Group has stated that part of their strategy for forcing everyone to buy into their Trusted Computing crap is to ensure that TPMs are already built in to all new computers being sold.

        -

        • by aliquis (678370)

          In what ways does it matter for me?

          Software calling home?

          Well, except I guess someone earns money on me buying something with support for it.

        • Every motherboard I've bought in the last 4 years has had a TPM space on it.

          It still didn't come with one. Just a slot to plug one in. I didn't buy a TPM, my computers don't have them....

        • by Mashiki (184564)

          A lot of computers are now being shipped with TPM's SOLDERED onto the motherboard

          Well no. You're going to be pretty hard pressed to find any consumer level, even business level machines with a soldered in TPM module. They're meant to be replaceable if they fail.

      • Re: (Score:2, Informative)

        Even UEFI can be turned off on nearly every motherboard out there, my mobo from my new build early this year has UEFI and I could turn it off if I want. Right there in the menu selections. Though most good consumer boards also support TPM as an option.

        This is only half-true. I have disabled UEFI boot on my ASRock Z68 Extreme3 Gen3, but when attaching a USB mass storage device, there is still a substantial delay if it is a mechanical drive while it searches for bootable partitions. This behavior shouldn't happen if UEFI is truly disabled -- and this behavior is unique to UEFI motherboards. If boot from USB is disabled on pre-UEFI motherboards, this does not happen.

        As well, I cannot prevent UEFI firmware from being loaded from devices; I can only set a pre

        • As well, the TPM module in most motherboards cannot be disabled.

          The TPM in most motherboards cannot be disabled because it was never installed in the first place. If you built the machine yourself, read the fine print on your motherboard box, there's about a 99.9% chance you have "TPM support" in the form of an unpopulated header, not an actual TPM.

    • Re:What? (Score:4, Informative)

      by tlambert (566799) on Sunday August 11, 2013 @03:52PM (#44537257)

      Don't buy a TPM module? Just because a motherboard supports it doesn't mean you have to turn it on... or am I missing something?

      It's pretty much impossible to get a new system with any reasonable compute ability without at least some form of back doored TPM-like facility these days. For example, the new Intel Ivy Bridge Chipsets have vPro, which gives similar capabilities. Likewis, the new AMD systems currently being planned have the ability to run TZones in the on-board ARM processor to implement a software TPM, as long as they aren't exposed out directly.

      http://www.hardwaresecrets.com/news/Intel-Launches-Ivy-Bridge-CPUs-with-vPro-Technology/6464 [hardwaresecrets.com]
      http://newsroom.intel.com/community/intel_newsroom/blog/2012/05/15/intel-strengthens-security-boosts-performance-for-business-with-3rd-generation-intel-core-vpro-platforms [intel.com]

    • by hairyfeet (841228)

      Even simpler just buy AMD as last i checked AMD doesn't have TPM, one of the reasons they are adding an ARM core to some of their newer chips as it can be used for TPM. Considering you can get a hexacore for $310 after MIR [tigerdirect.com] or if he wants mobility a quad core laptop for $420 [tigerdirect.com] I'd say its a no brainer, the bang for the buck is still firmly in the AMD camp.

      That said I don't know WTF he is babbling about because AFAIK there isn't a TPM made ATM where the user isn't in control so he can use it, not use it, its

  • Non sequitur (Score:4, Insightful)

    by Anonymous Coward on Sunday August 11, 2013 @01:20PM (#44536437)

    I have no need to run anything like Blu Ray movie disks or Microsoft Windows that requires TC/TPM or the UEFI boot process.

    Non sequitur much? What do Blu-Ray movies have to do with a TPM or UEFI secure boot? Also, Windows 8 can be run just fine without UEFI secure boot and doesn't need a TPM. UEFI secure boot is only needed to sell a certified product. Trying to drum up some FUD or what?

    • Re:Non sequitur (Score:5, Insightful)

      by sunderland56 (621843) on Sunday August 11, 2013 @02:30PM (#44536799)

      You might be overreacting; english has extremely loose parsing rules. Try reading it like this:

      I have no need to run anything like ( ( Blu Ray movie disks ) OR ( Microsoft Windows that requires TC/TPM or the UEFI boot process) ).

    • Also not only does Windows 8 not need secure boot, it doesn't even need UEFI. You can run it on a system with a BIOS, or on a UEFI system in BIOS emulation. My desktop is set up like that. My motherboard had some issues with UEFI boot as well as my video card, so BIOS mode it is. My laptop did not, so it is UEFI boot (it is faster) though without secure boot, it is just regular ass UEFI boot.

      I swear these paranoid types need to spend a bit of time getting their learn on about new technologies before whining

      • Re:No kidding (Score:5, Informative)

        by Alsee (515537) on Monday August 12, 2013 @01:58AM (#44539731) Homepage

        Also not only does Windows 8 not need secure boot, it doesn't even need UEFI...

        I swear these paranoid types need to spend a bit of time getting their learn on about new technologies before whining about them....

        The amount of knee-jerk that goes on with this shit is pretty amazing.

        Quoting fucking MICROSOFT.COM News Center: [microsoft.com]
        "Trustworthy hardware. The Trusted Platform Module is a hardware security device or chip that s a great tool for the enterprise, but until now has been an optional piece of technology for consumer devices. TPM provides a number of crypto functions, including securely storing keys and performing cryptographic measurements. We re working to require TPM 2.0 on all devices by January 2015"

        You're seriously going to call me "paranoid" when Microsoft has an official public statement that they plan to make this Trusted Computing shit mandatory starting less than a year and a half from now?

        Over a half-billion computers have already been shipped with this shit welded to the motherboard. THAT'S why the Ask Slashdot story is asking how to avoid this shit. A lot of computers already come with this shit on the motherboard, and not all of the sales materials list that it's in there.

        -

  • why? (Score:2, Insightful)

    by Anonymous Coward
    None of the consumer grade machines that you would buy or build for installing your own system enforce TPM or UEFI or any of that, so far it is all optional. So no need to currently avoid it, just don't use it.
  • by Anonymous Coward on Sunday August 11, 2013 @01:26PM (#44536473)

    I'd get in touch with ThinkPenguin. The company avoids trusted computing, non-free dependencies, and other digital restrictions that are bad for users. HP, Lenovo/IBM, Dell, Toshiba, Sony, and Apple are enemies of user freedom and should be avoided. They ship systems with digital restrictions and/or propitiatory pieces that prevent users from replacing things like the wifi in what is otherwise a standard slot. As a result if you get a system with a unsupported wifi card you can't replace it- or in other examples eventually move to a distribution that is 100% free like Trisquel or Parabola GNU/Linux.

    ThinkPenguin's been working with the free software foundation on various issues like USB wireless cards and other projects. They helped bring a new chipset to the free software community (ar9271 and the older ar9170). They also don't ship parts/computers dependent on non-free drivers/firmware. The only real exception is the BIOS. That might change if the company gets enough support. Right now it is a non-trivial and significant task to fix. Particularly when every user wants a different configuration and demands the absolute latest in specs (like Haswell for example).

    • by skipkent (1510)

      What, I've Frankensteined plenty of Lenovo machines in my time.

    • I would like to welcome the marketing department of ThinkPenguin (C)(TM) to slashdot.

    • by Dputiger (561114)

      pieces that prevent users from replacing things like the wifi in what is otherwise a standard slot. As a result if you get a system with a unsupported wifi card you can't replace it.

      [Citation fucking needed]

      Please, show me the special proprietary WiFi slot in Dell's latest $299 standardized-to-an-inch-of-existence system that only sends and receives electrical signals from Magical Dell WiFi.

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        The issue for Lenovo (I don't know about Dell) is that the BIOS has a whitelist of approved cards for those internal slots and if you plug-in a card not on the list the computer won't boot. However, Lenovo doesn't sell laptops with unsupported cards so you'll only see the issue when you try to manually upgrade it (and how many users do that?). For the power users who do open the case to upgrade, there's modified BIOSes that remove the whitelist. And before you start saying how bad Lenovo is for blocking

  • by TsuruchiBrian (2731979) on Sunday August 11, 2013 @01:27PM (#44536477)
    I don't see a problem with it, unless it can't be disabled. If you want all the freedoms, one of those freedoms is to enable or disable a TPM when you want. Maybe the only reason you want a TPM is so you can have one to test ways to circumvent it.
  • Not this shit again (Score:3, Informative)

    by Anonymous Coward on Sunday August 11, 2013 @01:28PM (#44536479)

    The story about the TPM was a load of horseshit FUD. TPMs are good if you want secure crypto key storage. If you don't, use a tinfoil hat.

    "Secure boot" is the thing you want to avoid if you're suitably paranoid.

  • by Anonymous Coward on Sunday August 11, 2013 @01:28PM (#44536485)

    Just buy it with TPM and turn it off. It's just like 3D televisions--it's a permanent addition to the feature list, regardless of how many people actually want or use it. Yeah it sucks that you pay for stuff you don't use. I'm sure you'll survive the experience.

    And if you're paranoid that turning it off won't REALLY turn it off, how do you know a motherboard without a TPM module doesn't REALLY have a super-secret disguised TPM module? If you're that paranoid, you'll have to build the motherboard yourself.

  • Why? (Score:5, Insightful)

    by chill (34294) on Sunday August 11, 2013 @01:30PM (#44536503) Journal

    TPM is just a secure hardware keystore. It allows you to store secret keys in it. Don't want it? Don't activate it.

    It is most commonly used in corporate machines, but can be used in Linux to support LUKS for full-disk encryption.

    As usual, people fear what they don't understand. The trick to TPM is *WHO HAS THE KEYS*. If *I* have the keys, it is a great feature. TPM itself isn't inherently bad any more than any safe is inherently bad.

    Stallman's piece focuses exclusively on TPM being implemented as a mandated piece where either the gov't or the media industry has the keys. Focusing on one theoretical use case and determining the entire system is evil is just plain wrong.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Stallman's piece focuses exclusively on TPM being implemented as a mandated piece where either the gov't or the media industry has the keys. Focusing on one theoretical use case and determining the entire system is evil is just plain wrong.

      Yeah, and theorizing that the Big Brother really IS watching over you just because it's theoretically possible is a just plain wr-oh, wait, that actually did happen because the people in power can be expected to abuse any technology available to them if we just turn a bli

    • Re:Why? (Score:4, Insightful)

      by Anonymous Coward on Sunday August 11, 2013 @01:56PM (#44536627)

      Stallman's piece focuses exclusively on TPM being implemented as a mandated piece where either the gov't or the media industry has the keys. Focusing on one theoretical use case and determining the entire system is evil is just plain wrong.

      Both scenarios are more or less "theoretical", but the most likely to end up widely implemented is exactly the one RMS focuses on. That is why he focuses on it. It's also the reason why the entire thing came into being. The other stuff is a nicety for the geeks, nothing more. That nicety doesn't make the purpose behind it less wrong or evil.

      • by cbhacking (979169)

        Hardly "just for geeks" at all, actually (or, less politely, "bullshit"). Pretty much all large companies, and many small ones, require disk encryption. Many disk encryption utilities make use of TPMs (even on Linux, as the OP points out). This is already a widely-deployed use of the TPM technology.

        Meanwhile, Stallman sounds off about potential evil things that it could be used for, things which there's absolutely no sign of people even working on developing. You compare a hypothetical use case to one that

    • Re:Why? (Score:5, Insightful)

      by blahplusplus (757119) on Sunday August 11, 2013 @01:58PM (#44536645)

      "Stallman's piece focuses exclusively on TPM being implemented as a mandated piece where either the gov't or the media industry has the keys. "

      Not quite, the same way F2P games and always online DRM made it so far. Most people are tech illiterate, all that's needed to get TPM out there is a dumb public and some widget they will always buy mindlessly like phones. I expect phones and/or some aspect of videogames to be where TPM is first implemented. The upper classes in america are obsessed with manipulating the public mind for their own corporate profits. I suspect there are people working right this moment to find a way to push more hardware DRM and legal bullshit. I imagine we'll first see this from the game industry and then it will seep into other industries.

      The idea that Stallman is 'alarmist' given how dystopian, authoritarian and anti-freedom american copyright and patent law has become and its negative effect on people owning the digital products they buy is already cause for alarm. The fact that digital goods are effectively infininite and people are talking moronically about selling 'used digital games' (bizarre aspect of american capitalist thinking in the non scarce digital world).

      See this article, game developers and publisher are seriously totally in bizarro world trying to get rid of the used game market.

      http://www.gamasutra.com/blogs/DanRogers/20130806/197733/THE_FUTURE_OF_RESELLING_DIGITAL_VIDEO_GAMES.php [gamasutra.com]

      • by Lothsahn (221388)

        The fact that digital goods are effectively infininite and people are talking moronically about selling 'used digital games'

        While physical goods are inherently limited, digital goods can be limited artificially.

        For instance:
        1) the only reason the phoenix mount in WoW has value is that it's hard to get and people want it. Blizzard could make the supply endless, but chooses not to.
        2) Furthermore, the reason items have significant value in Eve Online is that developers manage an economy which artificially limits supply.
        3) Similarly, "cold hard cash" is limited in "real life" in the same way.

        The government could easily

    • Re:Why? (Score:5, Informative)

      by Alsee (515537) on Sunday August 11, 2013 @03:49PM (#44537243) Homepage

      As usual, people fear what they don't understand.

      I've studied the entire TPM technical specification. I understand it in minute detail.

      The trick to TPM is *WHO HAS THE KEYS*. If *I* have the keys, it is a great feature.

      EXACTLY!

      And the entire point here is that you DON'T have the keys. The TPM technical specification is quite explicit that the owner of the computer is FORBIDDEN to ever get his keys. Specifically this means the PrivEK (Private Endorsement Key) and the SRK (StorageRootKey). The owner is forbidden to have his StorageRootKey, because the StorageRootKey is explicitly designed to encrypt data on the harddrive such that the owner of the computer cannot read or alter it. The owner is forbidden to have his Private Endorsement Key because this key is used to secure the Remote Attestation process against the owner. Remote Attestation is where the chip securely (secure against the owner) securely tracks your hardware and the software you run, and sends that spy-report out to other computers over the internet. If the owner had his Private Endorsement key, these Attestation spy-reports wouldn't be secure against the owner.

      TPM is just a secure hardware keystore.

      It's more than that, but an important part of it is that it's a "secure hardware keystore". Specifically, it is designed to be SECURE AGAINST THE OWNER. The Trusted Platform Module Technical Specification explicitly refers to the owner of the chip as an attack-threat which the chip MUST be secure against.

      Stallman's piece focuses exclusively on TPM being implemented as a mandated piece where either the gov't or the media industry has the keys.

      The "Master Keys" are held by the Trusted Computing Group. The crucial individual keys are locked inside the Trusted Computing chips, secured against the owners.

      Focusing on one theoretical use case and determining the entire system is evil is just plain wrong.

      Lets make it really simple. The moment they give owners some option to read their keys out of the chip, or give owners the option to buy chips that come with a printed copy of they keys, then I will jump up front and center proclaiming that Trusted Computing is wonderful and harmless... I'll lead the charge smacking down anyone claiming it's evil.

      However the Trusted Computing Group has explicitly refused all demands for any sort of "Owner Override" and explicitly forbid owners to ever get a hold of their own keys. That is because the entire point of Trusted Computing is to secure computers AGAINST their owners. The entire point of Trusted Computing is that "Owners can't be trusted", so they want to be able to "Trust" computers to be secure against the owners.

      The moment they allow owners to get their keys then I agree that the owner is in control.

      Note that the standard argument against allowing owners to get their keys is that a virus or malware or something might get a hold of the key if it's accessible from the chip, or if it's on the harddrive anywhere. Which is a patently bullshit argument for refusing to let me buy a chip with a PRINTED COPY of my master keys. Malicious software can't read paper. End of argument. Then I can toss the printed keys in my safety deposit box at my local bank, and you can't make any believable argument that it's somehow "for my security" that you're refusing to let me get my own goddamn keys.

      A simple rule for everyone:
      Just say "I want my keys", NO KEYS, NO SALE

      -

      • by Bob9113 (14996)

        Excellent post. Clear, thorough, and informative. Thank you.

      • That is the point all you TPM-ranters seem to be missing: It is 100% optional to use. In most cases I've seen, it is off by default because people just don't give a shit about it. On my system I go and have a look in device manager and, oh look, there's no "Security Devices" category, which is where the TPM appears if it is turned on. My board either shipped with it off, or without one (I haven't bothered to check in the BIOS) and it is a new Z77 board.

        I could see the issue if this was being required, but i

        • Re: (Score:2, Insightful)

          by Anonymous Coward

          Nobody cares that you can turn it off. It shouldn't be there in the first place. That's the point of the TPM-ranters, which you seem to be missing.

          The big evil issue is not what it is today, but what it will (rest assured) soon become. When that day comes you can look back at your open embrace of TPM with a sad face and say "If I'd only known". We on the other hand will simply say "we told you so and you did nothing".

          Good luck clawing back the computer freedom you gave up.

          • It shouldn't be there in the first place.

            Sure it should be. Here's one example: If I have Intel Anti-Theft (AT) Technology, TPM and encryption my data is very well protected.

            If my computer is out of my control I can lock down the hardware with Intel AT. If the encryption key is in the TPM then no one can put the drive in another machine and decrypt it even if they know my password.

            There are lots of good uses for TPM if you remove your tinfoil hat.

        • by vadim_t (324782)

          I don't want to turn it off. I want not to have it. I want it this way so that I can't possibly be counted as part of the TPM market share.

          Besides, once it's there, it's trivial to remove the option to disable it, so the option likely won't be stay there for long, once it's widely distributed enough.

        • by Alsee (515537) on Monday August 12, 2013 @03:49AM (#44539987) Homepage

          There's lots of screaming about it, that is backed up by a big lack of knowledge about it.

          I've studied all one-hundred-plus pages of the TPM technical specification. I know how it works in detail.

          It really seems like something that some people just want to be a big evil issue so they pretend it is.

          At one point the TPM technical specification explicitly names the owner of the computer as a potential "attacker", and explicitly states the chip must be secure against the owner. And in about a hundred places it endlessly mandates that the chip is forbidden to allow anyone, which includes the owner, to ever access the master keys.

          I could see the issue if this was being required, but it isn't.

          Microsoft has declared they plan to make it mandatory starting less then a year from now.

          -

      • by chill (34294)

        The whole point of the TPM is that once secret keys are installed, they can't be removed -- by anyone.

        By taking ownership of the TPM unit, a new SRK is created, unique to the system. It is ensconced in the TPM chip and there it shall stay. That is the point -- securing the private key.

        The keys created in the TPM are supposed to be unique to the system -- not something you wander around with. They are irrevocably tied to the system. That is the entire point.

        As long as the TPM_EK is generated internally to th

      • by znrt (2424692)

        Malicious software can't read paper. End of argument.

        it wouldn't have to if you were to actually use those keys.

        if the platform is to be trusted the keys have to be secret, period. the only question is who needs this level of trust. there are plenty valid usecases for this, maybe even in the public interest, but all are closed, specific systems. it definitely has no place in general consumer devices. i can only think of 2 usecases for this: totalitarian control or good old vendor lock in going high, and fuck both.

      • Re: (Score:3, Interesting)

        Not so much +5 informative as misinformative. Let's begin.

        I've studied the entire TPM technical specification. I understand it in minute detail.

        I don't doubt you've looked at it. But clearly you've looked at it from the perspective of how you think it impinges on your liberty rather than from the perspective of a security engineer trying to achieve simple properties such as executing code that isn't manipulated by an attacker. That's fine, that's the perspective I expect most slashdotters to be coming at it from. But I'm pretty encouraged by how many people in this thread have pushed back ag

  • by westlake (615356)

    I am currently running ancient 32-bit hardware and thinking about an upgrade to something x64 with USB3, SATA3 and >1 core on the CPU ... but don't want TC/TPM.

    You want to buy a high performance x86 motherboard which for some unfathomable reasons lacks features that have become more or less standard in both the consumer PC and the enterprise markets like UEFI and are not going away any time soon. Good luck with that,

  • I've got two different systems running Arch using these boards. One of them is booting in traditional BIOS mode, and when I turned off the secureboot and followed Arch's UEFI installation procedure, I got the second one booting with UEFI just fine.

  • by Dputiger (561114) on Sunday August 11, 2013 @01:39PM (#44536539)

    TCM/TPM is often a business only feature. Consumer motherboards *frequently* don't support it. But full disk encryption programs can, and some do.

    In other words, yes, you can totally opt out of buying a motherboard with TPM, including a top-of-the-line Haswell motherboard or an AMD chip, if that's your fancy. But if you buy one, you can also use it as a layer of security for a product like TrueCrypt (I do not know if TrueCrypt specifically supports it, that's just an example). And if you don't want it, you can turn it off.

    • by Alsee (515537) on Sunday August 11, 2013 @04:01PM (#44537321) Homepage

      TCM/TPM is often a business only feature.

      That was the initial market, but the Trusted Computing Group is quite clear that they intend, as soon as they can manage it, for it to be included in all computers. And they are well on their way to achieving that. They are already included in almost all laptops, and they are increasingly showing up in desktops.

      In other words, yes, you can totally opt out of buying a motherboard with TPM

      The entire point of the Ask Slashdot is that it's becoming increasingly difficult to do so. More and more computers are being shipped with the TPM soldered in place, and without the product description mentioning that fact anywhere.

      -

  • Stallman (Score:2, Insightful)

    by Anonymous Coward

    Stallman is never "worth reading".

  • by Dredd13 (14750) <dredd@megacity.org> on Sunday August 11, 2013 @01:49PM (#44536601) Homepage

    Buy an Apple computer? They haven't had TPMs of any sort for a long time, near as I can tell from the literature.

  • By disabling it in the BIOS, or if that's not an option, don't install the driver. And since when do Blu Ray discs and Windows need the TPM to be enabled to run?

  • ...why not try these guys? https://www.system76.com/ [system76.com] Desktops and laptops available.
  • by Burz (138833) on Sunday August 11, 2013 @02:52PM (#44536943) Journal

    Anti Evil Maid is an implementation of a TPM-based static trusted boot with a primary goal to prevent Evil Maid attacks.
    http://theinvisiblethings.blogspot.com/2011/09/anti-evil-maid.html [blogspot.com]

  • by DarkXale (1771414) on Sunday August 11, 2013 @03:04PM (#44536993)
    TPM is normally not included in consumer motherboards. You have to purchase a separate TPModule that plugs into the motherboard's TPM header, and thats assuming the motherboard even has that header in the first place (read the specsheet). The Asus Z77 Deluxe in this machine for example - has no TPM header, and thus has no TPM. Newer versions of that motherboard firmware does include SecureBoot support - but older versions do not. However that must be manually activated, as it defaults to disabled (and consequently must be re-activated every time you reflash/update the firmware). In addition, custom keys are supported.

    TPM requires (for Intel) support from the CPU - and some consumer level CPUs (notably the K series) lack that support. The extremely common 3570K for example - cannot use TPM. So in the above case, support is missing on the motherboard level, and on the CPU level. The newer Haswell variants (for both) still has the same inability.
  • by aelliott83 (3015777) on Sunday August 11, 2013 @03:35PM (#44537161)
    There was some interesting research presented at Blackhat that pointed out the problems of using the TPM as a root of trust in your platform: https://media.blackhat.com/us-13/US-13-Butterworth-BIOS-Security-Slides.pdf [blackhat.com] The essence of the research is that the TPM is not adequate as a root of trust in the platform because the code that drives the TPM/does the system measurements resides on a mutable EEPROM (the bios flash chip). Therefore any attacker that can gain access to the bios flash chip via an exploit (the researchers presented one) or via an unlocked flash chip (see Yuriy Bulygin's related work) can forge the TPM measurements that serve as the root of trust in your system. This is important because software like Bitlocker uses these TPM measurement values to determine whether or not to decrypt your harddrive...
  • I am more worried about no new laptops with the standard 8-row keyboard which has Ins/Del/Home/End/PgUp/PgDn block.

    All manufacturers that had those for business use - i.e. Dell, HP, Lenovo switched to the new consumer type layouts which are much slower for development work.

    When this keyboard layout is ressurected, I am buying a new laptop. Until then, I stick to the fastest possible laptop with such keyboard. Which, at present is Dell E6410/E6510.

    As far as UEFI and TPM - all of these can be disabled.

  • I've never seen as much misinformation on anything on Slashdot as I have on UEFI.

    UEFI does not imply secure boot. Microsoft recently baked secure boot into the most recent UEFI standard, but even if your machine is on that version, you can do a UEFI boot without going through secure boot.

    Saying UEFI and secure boot are the same thing is like saying HTML and JavaScript are the same thing. Yes, you usually find one with the other, but they're not the same thing and have different use cases. EFI is actually a

  • Awesome, 111 comment so far and not ONE SINGLE constructive answer to the OP.... Would someone just please answer the man's question and list some current motherboards with no TPM/UEFI hardware? Geez.
  • by fa2k (881632) <pmbjornstadNO@SPAMgmail.com> on Monday August 12, 2013 @07:04AM (#44540435)

    The motherboard in the subject came with a header for installation of a TPM, but no actual TPM, and supports both UEFI and BIOS. Leaving out the TPM seems like a cost saving move rather than a privacy one. [It has a LGA1155 socket, which is being phased out, but it's pretty fast with a Xeon E3-12??v2. ECC monitoring not supported on Linux, if you're interested. I wish there was a chip that was equally fast per core, but with more cores..]

    I wouldn't worry about TPMs for privacy or security anyway. There may be a backdoor in TPM, but all it could do is to negate the security of the TPM. There may be other hardware backdoors, but there is currently no way to protect against that. If the CPU had a back door that was triggered by a 128 bit pattern, or a sequence of arithmetic or floating point instructions and operands, this could be delivered over the internet to any host as part of an image file over HTTP, regardless of firewalls, VPNs and virtual machines. [The only solution I can think of would be to implement an emulator which re-maps memory addresses randomly at the byte level, and fudges the operands in calculations (maybe adds a random number to the operands, then subtracts it afterwards)]

    I would like the OP also try to stick with legacy BIOS, just for practical reasons.

How often I found where I should be going only by setting out for somewhere else. -- R. Buckminster Fuller

Working...