Ask Slashdot: Best/Newest Hardware Without "Trusted Computing"? 290
An anonymous reader writes "What is the best/newest hardware without trusted computing (TC) / Trusted Platform Module(TPM)? I am currently running ancient 32-bit hardware and thinking about an upgrade to something x64 with USB3, SATA3 and >1 core on the CPU ... but don't want TC/TPM. I have no need to run anything like Blu Ray movie disks or Microsoft Windows that requires TC/TPM or the UEFI boot process. Is anybody else still trying to avoid TC/TPM? What have your experiences been? Any pointers?" Worth reading on this front, too: Richard Stallman on so-called Trusted Computing,.
get a mac. (Score:1, Interesting)
At the time of this writing (October 2006), the newest Apple computer models, such as the MacPro and possibly the revised MacBook Pro and the revised iMac, do not contain an onboard Infineon TPM. Apple could bring the TPM back, perhaps, if there were enough interest (after all, it is increasingly common to find TPMs in current notebook computers), but that's another story.
Re:What? (Score:4, Interesting)
Even if you do turn it on, it only goes about doing what you ask it to do. You can use it to pull some random numbers from, for instance, and completely ignore the cryptographic functions. And neither UEFI or secure boot has nothing to do with TPM. That's completely separate and, on every x86/x86_64 machine I know of, able to be easily run in custom mode with your own keys (and noone else's keys), or disabled entirely.
So if you're being paranoid about this because of fears about spying or remotely taking over your computer... Well, you're being paranoid. If you're scared of that because of TPM, you should be much more scared of that because of not having the complete specifications to rebuild the computer from a hunk of silicon..
Re:Why? (Score:2, Interesting)
Stallman's piece focuses exclusively on TPM being implemented as a mandated piece where either the gov't or the media industry has the keys. Focusing on one theoretical use case and determining the entire system is evil is just plain wrong.
Yeah, and theorizing that the Big Brother really IS watching over you just because it's theoretically possible is a just plain wr-oh, wait, that actually did happen because the people in power can be expected to abuse any technology available to them if we just turn a blind eye to it and ignore the possibliity! That's a great strategy, nothing to see here folks, bury your head in the sand, etc. like usual.
Re:ThinkPenguin.com's against trusted computing... (Score:2, Interesting)
The issue for Lenovo (I don't know about Dell) is that the BIOS has a whitelist of approved cards for those internal slots and if you plug-in a card not on the list the computer won't boot. However, Lenovo doesn't sell laptops with unsupported cards so you'll only see the issue when you try to manually upgrade it (and how many users do that?). For the power users who do open the case to upgrade, there's modified BIOSes that remove the whitelist. And before you start saying how bad Lenovo is for blocking other cards, they are legally not allowed to support non-certified cards due to FCC regulations. Blame the FCC not Lenovo.
For some of the older Thinkpads, the internal PCI-e slots are not standard. They're USB based and not PCI-e based, so while looking standard, all cards won't work for them. I just ran into this issue wanting to add a mSATA SSD to a T60p.
Re:TPM often left off (but can work FOR you). (Score:4, Interesting)
TCM/TPM is often a business only feature.
That was the initial market, but the Trusted Computing Group is quite clear that they intend, as soon as they can manage it, for it to be included in all computers. And they are well on their way to achieving that. They are already included in almost all laptops, and they are increasingly showing up in desktops.
In other words, yes, you can totally opt out of buying a motherboard with TPM
The entire point of the Ask Slashdot is that it's becoming increasingly difficult to do so. More and more computers are being shipped with the TPM soldered in place, and without the product description mentioning that fact anywhere.
-
Re:Why? (Score:3, Interesting)
I've studied the entire TPM technical specification. I understand it in minute detail.
I don't doubt you've looked at it. But clearly you've looked at it from the perspective of how you think it impinges on your liberty rather than from the perspective of a security engineer trying to achieve simple properties such as executing code that isn't manipulated by an attacker. That's fine, that's the perspective I expect most slashdotters to be coming at it from. But I'm pretty encouraged by how many people in this thread have pushed back against the normal FUD I expect to see here.
The TPM technical specification is quite explicit that the owner of the computer is FORBIDDEN to ever get his keys
Forbidden from getting them out of the TPM, not forbidden from using them in ways that allow for guaranteeing security properties.If you can just export the key from the TPM onto your normal OS, how would you ever know you were talking to a TPM instead of malware pretending to be a TPM? If you could just ask the TPM to sign something for you with the protected keys, why could the attacker not arbitrarily ask for forged data to be signed?
The owner is forbidden to have his Private Endorsement Key because this key is used to secure the Remote Attestation process against the owner. Remote Attestation is where the chip securely (secure against the owner) securely tracks your hardware and the software you run, and sends that spy-report out to other computers over the internet. If the owner had his Private Endorsement key, these Attestation spy-reports wouldn't be secure against the owner.
An amazingly hyperbolic statement for someone who claims to have read the specs.
1) "The chip" tracks your hardware does it? You understand that the TPM is a completely passive chip waiting for people to come along and send it data, don't you?
2) Same point, again. If you export the EK into the OS, any malware anywhere can forge the attestation state, saying that the system is in a state it is not in. That could mean it's infected when it's not, so it gets reimaged by corporate IT, it can say it's not infected when it is, so the attacker has the run of the network.
3) Only a few large companies are actually using TPMs and remote attestation for things like trusted network connect (just NAC with a TPM-signed configuration), but in reality your FUD-drenched picture of the "spy-reports" (really? wow) being sent out gives the trusted computing folks too much credit. Since no one's using it at the OS level, most all attestation report data is just the BIOS collecting data about itself. And as people showed at BlackHat recently, vendors like Dell don't actually do a very good job of collecting relevant information, collecting just the bare minimum to make bitlocker work - https://media.blackhat.com/us-13/US-13-Butterworth-BIOS-Security-Slides.pdf [blackhat.com]
TPM is just a secure hardware keystore.
It's more than that, but an important part of it is that it's a "secure hardware keystore". Specifically, it is designed to be SECURE AGAINST THE OWNER. The Trusted Platform Module Technical Specification explicitly refers to the owner of the chip as an attack-threat which the chip MUST be secure against.
Citation needed ;) I'm sure you're misinterpreting some physical tamper-resistence line. I agree with that person, it's really just a keystore (and a really really slow RC4/SHA1 implementation).
The "Master Keys" are held by the Trusted Computing Group. The crucial individual keys are locked inside the Trusted Computing chips, secured against the owners.
.
It's great that you've read the specs and all, and somehow latched on to the imaginary phrase "secure against the own
Re:What? (Score:4, Interesting)
vPro requires a fair amount of setup to use, so claiming that it's going to backdoored is really just silly.
You failed to read my first link.
"Intel's vPro technology provides IT managers with a collection of security and manageability features, including remote access to the PC independent of the state of the operating system or that of the computer's power. The newest vPro processors include an identity protection technology with public key infrastructure (Intel IPT with PKI), which provides a new second layer of authentication embedded into the PC that allows websites and business networks to validate that a legitimate user is logging on from a trusted PC by using a private key stored in a PC's firmware."
So it allows remote access to the machine using a remote access facility built into firmware, and for which source code is not provided by Intel to allow it to be audited by an independent third party.
For "websites and business networks", read "media distribution companies intent on renting you something instead of selling it to you, even though book licenses are why we started granting media companies copyrights in the first place", i.e. it was in trade for them not being assholes, but now they are back to being assholes, and have lobbied legislators like Pelosi and Feinstein to get the DMCA passed, and criminalize a civil matter.
I'd rather my machine not identify me in a non-repudiable way to a remote attacker of my Article 12 rights under the U.S. Constitution, thanks.
Re:TPM - Its never there (Score:4, Interesting)
TPM - Its never there
It's already in essentially all laptops, it's already in essentially all "business class" desktops, it's already in some "personal class" PC's, and it's MANDATORY in ALL new Windows PC's as of 16 months from now. [microsoft.com]
Ummmm yeah........ "never".
-
Comment removed (Score:5, Interesting)