Ask Slashdot: Best/Newest Hardware Without "Trusted Computing"? 290
An anonymous reader writes "What is the best/newest hardware without trusted computing (TC) / Trusted Platform Module(TPM)? I am currently running ancient 32-bit hardware and thinking about an upgrade to something x64 with USB3, SATA3 and >1 core on the CPU ... but don't want TC/TPM. I have no need to run anything like Blu Ray movie disks or Microsoft Windows that requires TC/TPM or the UEFI boot process. Is anybody else still trying to avoid TC/TPM? What have your experiences been? Any pointers?" Worth reading on this front, too: Richard Stallman on so-called Trusted Computing,.
What? (Score:4, Informative)
Don't buy a TPM module? Just because a motherboard supports it doesn't mean you have to turn it on... or am I missing something?
Get over it... (Score:1, Informative)
You don't HAVE to enable TPM. It's a bios option in most of the mobos i've seen so far. Most don't even have anything in that plug. They just include a tpm header to plug that in someday. Even UEFI is just a plain ol bios unless unless you run something that requires the stupid security shit.
If you're REALLY dead set on not even having it at all... You're going to be stuck 2 generations ago forever.
Mobo mfgs included it because its easier to make one product line that has it all. It's not going to take over your system unless you install software that requires that.
ThinkPenguin.com's against trusted computing... (Score:5, Informative)
I'd get in touch with ThinkPenguin. The company avoids trusted computing, non-free dependencies, and other digital restrictions that are bad for users. HP, Lenovo/IBM, Dell, Toshiba, Sony, and Apple are enemies of user freedom and should be avoided. They ship systems with digital restrictions and/or propitiatory pieces that prevent users from replacing things like the wifi in what is otherwise a standard slot. As a result if you get a system with a unsupported wifi card you can't replace it- or in other examples eventually move to a distribution that is 100% free like Trisquel or Parabola GNU/Linux.
ThinkPenguin's been working with the free software foundation on various issues like USB wireless cards and other projects. They helped bring a new chipset to the free software community (ar9271 and the older ar9170). They also don't ship parts/computers dependent on non-free drivers/firmware. The only real exception is the BIOS. That might change if the company gets enough support. Right now it is a non-trivial and significant task to fix. Particularly when every user wants a different configuration and demands the absolute latest in specs (like Haswell for example).
Not this shit again (Score:3, Informative)
The story about the TPM was a load of horseshit FUD. TPMs are good if you want secure crypto key storage. If you don't, use a tinfoil hat.
"Secure boot" is the thing you want to avoid if you're suitably paranoid.
Re:What? (Score:2, Informative)
No you're not missing anything. Even UEFI can be turned off on nearly every motherboard out there, my mobo from my new build early this year has UEFI and I could turn it off if I want. Right there in the menu selections. Though most good consumer boards also support TPM as an option. As you said, just don't buy the module. Even the mid-range MSI board I recently picked up supports it.
Re:get a mac. (Score:2, Informative)
Yawn. Obsolescence built in, with each OSX "upgrade" Apple drop support for a whole generation of hardware. Quad core xeons are now in limbo. Yes, that standard Intel and PCI system is already at a dead end. When the next cat OS is released with a slightly changed icon set, the next top end systems will be excluded.
And as for imacs, zero upgradability other than RAM and high failure rates, also suffer from OSX obsolescence.
So, no, don't go down the Apple route unless you intend to replace the whole system to stay current, even if it doesn't need it.
My 2008 MacBook is still receiving upgrades, and will get Mavericks. Upgraded the ram to 8gb and I'm doing just fine.
Re:What? (Score:5, Informative)
Turn off... UEFI...
The fuck? UEFI is a replacement for BIOS; "disabling" it would entail disabling your system's ability to boot at all. Likely what you mean is Secure Boot, which is an optional feature for newer UEFI systems that caused a bunch of stink with Windows 8.
Re:ThinkPenguin.com's against trusted computing... (Score:4, Informative)
you didn't hear about IBM/Lenovo requiring you to use *THEIR* wifi cards in the laptops? A non-IBM braneded but exactly the same model, wouldn't work because the BIOS checks for it. Pretty widely reported here on slashdot.
Re:What? (Score:5, Informative)
No, you don't turn UEFI off. What you do is activate the CSM, which emulates older BIOS calls and maps them to UEFI functionality.
Re:Get over it... (Score:4, Informative)
No they don't. They started shipping with them in the mid 2000's, but never built a driver for one, and stopped including it in their hardware in 2009.
Thanks for playin', though.
TPM - Its never there (Score:5, Informative)
TPM requires (for Intel) support from the CPU - and some consumer level CPUs (notably the K series) lack that support. The extremely common 3570K for example - cannot use TPM. So in the above case, support is missing on the motherboard level, and on the CPU level. The newer Haswell variants (for both) still has the same inability.
Re:What? (Score:2, Informative)
Even UEFI can be turned off on nearly every motherboard out there, my mobo from my new build early this year has UEFI and I could turn it off if I want. Right there in the menu selections. Though most good consumer boards also support TPM as an option.
This is only half-true. I have disabled UEFI boot on my ASRock Z68 Extreme3 Gen3, but when attaching a USB mass storage device, there is still a substantial delay if it is a mechanical drive while it searches for bootable partitions. This behavior shouldn't happen if UEFI is truly disabled -- and this behavior is unique to UEFI motherboards. If boot from USB is disabled on pre-UEFI motherboards, this does not happen.
As well, I cannot prevent UEFI firmware from being loaded from devices; I can only set a preference to use "legacy" firmware. However, if such "legacy" firmware isn't found, it will still load via UEFI. It will also boot from UEFI if there are not any non-UEFI boot options available; I tested this by plugging in a flash drive which was UEFI boot-compliant and physically disconnected all other devices. It booted, even though it was disabled in the BIOS.
As well, the TPM module in most motherboards cannot be disabled. You have the option of not using it; However, its functionality can be accessed at any time. This includes, amongst other things, key storage and access to a unique identifier. This functionality can be "disabled" by the OS, which under Windows means it will not use the TPM, but user-space applications can still execute TPM operations, including (for example) ActiveX controls embedded into web pages and video games.
The only way to disable the TPM is to physically remove it from the motherboard, however in current models this is typically integrated directly into the BIOS chip, thus it may not be possible to disable it without destroying the motherboard.
TPM research at Blackhat (Score:3, Informative)
Re:Why? (Score:5, Informative)
As usual, people fear what they don't understand.
I've studied the entire TPM technical specification. I understand it in minute detail.
The trick to TPM is *WHO HAS THE KEYS*. If *I* have the keys, it is a great feature.
EXACTLY!
And the entire point here is that you DON'T have the keys. The TPM technical specification is quite explicit that the owner of the computer is FORBIDDEN to ever get his keys. Specifically this means the PrivEK (Private Endorsement Key) and the SRK (StorageRootKey). The owner is forbidden to have his StorageRootKey, because the StorageRootKey is explicitly designed to encrypt data on the harddrive such that the owner of the computer cannot read or alter it. The owner is forbidden to have his Private Endorsement Key because this key is used to secure the Remote Attestation process against the owner. Remote Attestation is where the chip securely (secure against the owner) securely tracks your hardware and the software you run, and sends that spy-report out to other computers over the internet. If the owner had his Private Endorsement key, these Attestation spy-reports wouldn't be secure against the owner.
TPM is just a secure hardware keystore.
It's more than that, but an important part of it is that it's a "secure hardware keystore". Specifically, it is designed to be SECURE AGAINST THE OWNER. The Trusted Platform Module Technical Specification explicitly refers to the owner of the chip as an attack-threat which the chip MUST be secure against.
Stallman's piece focuses exclusively on TPM being implemented as a mandated piece where either the gov't or the media industry has the keys.
The "Master Keys" are held by the Trusted Computing Group. The crucial individual keys are locked inside the Trusted Computing chips, secured against the owners.
Focusing on one theoretical use case and determining the entire system is evil is just plain wrong.
Lets make it really simple. The moment they give owners some option to read their keys out of the chip, or give owners the option to buy chips that come with a printed copy of they keys, then I will jump up front and center proclaiming that Trusted Computing is wonderful and harmless... I'll lead the charge smacking down anyone claiming it's evil.
However the Trusted Computing Group has explicitly refused all demands for any sort of "Owner Override" and explicitly forbid owners to ever get a hold of their own keys. That is because the entire point of Trusted Computing is to secure computers AGAINST their owners. The entire point of Trusted Computing is that "Owners can't be trusted", so they want to be able to "Trust" computers to be secure against the owners.
The moment they allow owners to get their keys then I agree that the owner is in control.
Note that the standard argument against allowing owners to get their keys is that a virus or malware or something might get a hold of the key if it's accessible from the chip, or if it's on the harddrive anywhere. Which is a patently bullshit argument for refusing to let me buy a chip with a PRINTED COPY of my master keys. Malicious software can't read paper. End of argument. Then I can toss the printed keys in my safety deposit box at my local bank, and you can't make any believable argument that it's somehow "for my security" that you're refusing to let me get my own goddamn keys.
A simple rule for everyone:
Just say "I want my keys", NO KEYS, NO SALE
-
Re:What? (Score:4, Informative)
Don't buy a TPM module? Just because a motherboard supports it doesn't mean you have to turn it on... or am I missing something?
It's pretty much impossible to get a new system with any reasonable compute ability without at least some form of back doored TPM-like facility these days. For example, the new Intel Ivy Bridge Chipsets have vPro, which gives similar capabilities. Likewis, the new AMD systems currently being planned have the ability to run TZones in the on-board ARM processor to implement a software TPM, as long as they aren't exposed out directly.
http://www.hardwaresecrets.com/news/Intel-Launches-Ivy-Bridge-CPUs-with-vPro-Technology/6464 [hardwaresecrets.com]
http://newsroom.intel.com/community/intel_newsroom/blog/2012/05/15/intel-strengthens-security-boosts-performance-for-business-with-3rd-generation-intel-core-vpro-platforms [intel.com]
Re:What? (Score:3, Informative)
1) "girlintraining" is a "dude"
2) GPS usage in every cellphone I've seen drains battery fast. I don't care what can be designed--the reality is GPS receivers in phones do drain battery fast
3) girlintraining has plenty of good constructive input, and it's very welcome here. That doesn't mean she's been right in every one of her posts, in fact, I've had a few horribly inaccurate posts of my own, as nearly everyone does.
Yes, I know I just fed the troll, but I felt it needed to be said, if only to let girlintraining know that there are some people who find many of her posts engaging and educational.
Re: get a mac. (Score:5, Informative)
mean while, you can run Windows 8 on any Pentium 4.
Actually no you can't. Windows 8 unlike Windows 7 requires PAE, NX, and SSE2. NX was introduced into later Pentium 4 Prescott models, but not earlier Willamette and Northwood models. Win 8 Betas did run on these platforms, but RTM will refuse to install on them.
Re:What? (Score:5, Informative)
Exactly.
And it's been a long while since you could get a native BIOS motherboard - it's been (U)EFI since the Core series of processors were first released by Intel. Prior to this, Intel released both BIOS and EFI code for the processors. Since then, it's been (U)EFI only. It's just that since 2006 or so, by default the EFI boots into a BIOS emulator that gives you the BIOS you know and love.
It's only in the past 2 years or so has the actual UEFI interface been accessible to users (other than through an Apple Mac, that is). Intel has provided EFI code since the turn of the millennium, as well, so it's actually older than you think.
Initially, Apple's Boot Camp utility installed the BIOS emulator on early Macs because they shipped without it and thus couldn't boot Windows. Later Macs have it baked into the firmware and you can just boot it directly. Hell, Apple even slipstreams the drivers into the OS image now so you don't have to install afterwards.
Linux has supported EFI boot since I don't know when. IA-64 (Itanium) definitely, but it got ported to x86 a long while back too. Of course, you could really only use it on a Mac until recently...
Re:No kidding (Score:5, Informative)
Also not only does Windows 8 not need secure boot, it doesn't even need UEFI...
I swear these paranoid types need to spend a bit of time getting their learn on about new technologies before whining about them....
The amount of knee-jerk that goes on with this shit is pretty amazing.
Quoting fucking MICROSOFT.COM News Center: [microsoft.com]
"Trustworthy hardware. The Trusted Platform Module is a hardware security device or chip that s a great tool for the enterprise, but until now has been an optional piece of technology for consumer devices. TPM provides a number of crypto functions, including securely storing keys and performing cryptographic measurements. We re working to require TPM 2.0 on all devices by January 2015"
You're seriously going to call me "paranoid" when Microsoft has an official public statement that they plan to make this Trusted Computing shit mandatory starting less than a year and a half from now?
Over a half-billion computers have already been shipped with this shit welded to the motherboard. THAT'S why the Ask Slashdot story is asking how to avoid this shit. A lot of computers already come with this shit on the motherboard, and not all of the sales materials list that it's in there.
-
Re:Ok then TURN IT OFF! (Score:4, Informative)
There's lots of screaming about it, that is backed up by a big lack of knowledge about it.
I've studied all one-hundred-plus pages of the TPM technical specification. I know how it works in detail.
It really seems like something that some people just want to be a big evil issue so they pretend it is.
At one point the TPM technical specification explicitly names the owner of the computer as a potential "attacker", and explicitly states the chip must be secure against the owner. And in about a hundred places it endlessly mandates that the chip is forbidden to allow anyone, which includes the owner, to ever access the master keys.
I could see the issue if this was being required, but it isn't.
Microsoft has declared they plan to make it mandatory starting less then a year from now.
-
Re:Prove you're right: Show me how to get my keys (Score:4, Informative)
Help me judge which of you is right.
Alsee says I can't have the keys to the TPM which comes with the computer I buy. You disagree with Alsee.
No, he explicitly agreed with me on that point:
I said: "The TPM technical specification is quite explicit that the owner of the computer is FORBIDDEN to ever get his keys"
He said: "Forbidden from getting them out of the TPM"
That's agreement.
He merely followed up with a lame explanation "not forbidden from using them in ways that allow for guaranteeing security properties". The Trusted Computing definition of "security properties" explicitly includes security against the owner. "Guaranteeing security properties" means you are unable to read or alter your own files in Sealed Storage [wikipedia.org]. An example "security property" would be that you cane read (and run) a Sealed-Storage program without securely verifying that the date it is within the approved software-rental period. Or think DRM music file, the "security property" is that the chip won't let you play the music except with the approved DRM-music player, and only if it decrements the number of plays remaining in the pay-per-play count.
It also means enforcing the security of Remote Attestation [wikipedia.org], which in plain English means a cryptopgraphically secure "spy report" sent out to other people over the internet telling them exactly what software you are running. For example if you had your master keys you could tell a website that you aren't running an ad-blocker when you actually are. That would violate the anti-owner "security properties".
That's why your forbidden to have your keys.... then other people could not Trust that your computer would enforce anti-owner "security properties" against you.
Standard line argument is that it's all A-ok because it's all "opt-in". If you don't "opt-in" all "security properties" are still enforced against you, enforced in the sense in that nothing works (you can't violate security if nothing works and you can't do anything). If you don't "opt-in" you're denied any ability to read or modify Trusted-secured Files, if you don't "opt-in" you're denied the ability to run Trusted-secured programs at all, if you don't "opt-in" you won't be able to access websites at all if they use the Trust system to ensure you don't copy pictures or to check if you're running an ad-blocker. And if you don't "opt-in", then in a few years you might be denied internet access. The Trusted Computing group has created something called Trusted Network Connect, and Microsoft has an equivalent version called Network Access Protection. That's a system where a network (or your ISP) can ask for a Trusted Health Check. A "Health Check" is that spy report I mentioned before, it reports the exact software running on your computer. The "Health Check": ensures that you're not infected by a virus(*), and ensures that you're running an approved operating system with ALL of the mandatory patches, and enforces that you're running any mandatory "security software" they want you to run, and that you're not running anything they don't want you to run. And if you don't "opt-in" then you can't pass the "Health Check", and your computer is "quarantined".... no network access access. Obviously no ISP could ever deploy something like that.... not unless most customers already had Trust Chips in their Computers.... oh yeah Microsoft is making Trust Chips mandatory in all new PC's 16 months from now. But even then it would obviously be several more years before most people had Trusted PC's, before ISPs could deploy that sort of "Trusted Health Check" to get internet access. But don't worry, this is all a good thing.... it's just a Health Check.... to ensure you're not infected and spreading viruses
As he explained, there's nothing evil about the system.... they
Re:What? (Score:4, Informative)
I wanted a TPM too and I ended up with the HP8560w laptop. A bit pricey for a hardware encryption chip, but not as expensive as a few years ago.