LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

OLS: Linux and trusted computing

OLS: Linux and trusted computing

Posted Jul 28, 2005 10:57 UTC (Thu) by anonymous21 (guest, #30106)
Parent article: OLS: Linux and trusted computing

Virtually every single argument in support of Trusted Computing falls apart on the exact same grounds. You can still get all of the same benefits from an essentially identical system where you DO know your master key that controls the security on your computer. If you have a printed copy of your key, perhaps kept in a safety deposit box if you like, all of the security functions on your computer still work for you. You can still seal your data and you can still control what software may and may not run on your computer and any unauthorized system alterations will still be detected and locked out.

Trusted Computing is not merely a tool that can be used for good or bad. Trusted Computing is like a nutricious apple containing a poison pill. The Trust chip is designed to keep secrets against its owner, designed to be secure against the owner. Advertising the vitamins a poisoned apple contains does not justify the poison pill. All of the talk of vitamins just means that you want to buy an apple without the poison pill.

The TPM is specifically designed to forbid the owner to know his own key and be secure against its owner. The arguments supposedly supporting Trusted Computing are simply invalid when they list all of these examples that do not justify nor require forbidding the owner to know his own key. If people want to argue those benefits and argue for new hardware, fine, then they should argue for new hardware with these exact same capabilities where the owner has the additional benefit of being allowed to know his own keys, not an anti-owner system designed to be secure against the owner. The fact that you know your own key does not prevent your computer from protecting you. Knowing your key allows you full control over your computer and the ability to unlock your files if and when you need to do so. Knowing your key allows you to avoid being locked out or locked in to anything.

An additional issue is that Trusted Computing defeats the GPL. Under Trusted Computing source code often becomes entirely useless. If you attempt to modify Trusted Computing GPL software then the Trust chip will detect this modification and the chip will forbid you to read any 'secured' files. The Trust chip will also attest that the software is 'currupt', interoperability and internet connection attempts can and will fail. The modified software may technically run, but it simply will not work. Trusted Computing defeats the GPL and can make the source code useless because it forbids the owner to know his own key to unlock his own computer and unlock his own data.

Not only does Trusted Computing defeat the GPL, but it will also begin to strangle Linux development if there is a move to Trusted Linux. Under such a Trust system much software will only run on a certified and unmodified Trusted Linux, varius files will only be readable on a certified and unmodified Trusted Linux, various websites and other network protocals will not work if you do not have a certified and unmodified Trusted Linux. I becomes almost impossible for most people to develop and test and contibute improvements and fixes for Linux if any attempt to modify and recompile causes most of your system to break. Trusted Linux is an evolutionary dead end, with most contributors locked out.

Another major issue is Trusted Network Connect (TNC), a new specification documented on the Trusted Computing Group's website. Micorsoft has issued a press release that they are implementing this system under the name Network Access Protection (NAP). This is a system that first checks if your computer has a Trust chip then checks the exact operating system you have and then checks exactly what software you are running. If you are not running an authorized and unmodified operating system then you are quarantined. Note that "quarantined" is the exact word used in the documentation, it means you can be denied any network connection at all. If you are not running certain mandatory software, specifically authorized and unmodified modified software, then you can again be quarantined and denied any internet connection at all.

The proper response to Trusted Computing is "I want to know my own key. No key, no sale".

(Log in to post comments)

OLS: Linux and trusted computing

Posted Jul 28, 2005 19:19 UTC (Thu) by Fats (subscriber, #14882) [Link]

You can still get all of the same benefits from an essentially identical system where you DO know your master key that controls the security on your computer.
You need to hide the master key when you want to be able to do something only on your machine. If you do know your master key, it means other people can know your master key and replicate it on other machines. This way they can steal things from your machine you want to have locked to your machine.
An additional issue is that Trusted Computing defeats the GPL. Under Trusted Computing source code often becomes entirely useless. If you attempt to modify Trusted Computing GPL software then the Trust chip will detect this modification and the chip will forbid you to read any 'secured' files.
They can forbid you running the modified code on the same machine but they can not forbid you adapting the code to run on machines not having a TPM chip. So yes they forbid you one of the reasons of the existence of the GPL e.g. to be able to bug fix code for the machine but they can not lock down the code. Staf.

OLS: Linux and trusted computing

Posted Aug 17, 2005 18:33 UTC (Wed) by dmag (subscriber, #17775) [Link]

> You can still get all of the same benefits from an essentially identical system where you DO know your master key that controls the security on your computer.

No. Any ordinary system must have the keys to decrypt the data on disk. Popping out the hard drive will let you decrypt all the data. TPM allows the data to be encrypted/decrypted without storing the key on disk.

> The Trust chip is [..] designed to be secure against the owner.

Yes and no. See http://trousers.sourceforge.net/faq.html#3.4

> Under Trusted Computing source code often becomes entirely useless.

No. You don't understand how the TPM works. In "Trusted computing", all software (bootloader, OS, etc) must constantly talk to the TPM. The TPM contains *no* code. The TPM makes no decisions, only reports checksums and the like.

All "trusted computing" platforms will boot existing software just fine. You can decide not to run TPM software. You can always take GPL software and re-compile it for your own computer.

> it will also begin to strangle Linux development if there is a move to Trusted Linux.

No. Remember, if you have a "trusted computer", you can still pop in your favorite Linux distro and start hacking. Worst case, you have to pop out the hard drive to reformat. Trusted computing is not designed to prevent that. (If it was, nobody could boot Windows!)

> any attempt to modify and recompile causes most of your system to break

If someone sells a complete "Trusted Linux Kiosk certified by the maker", you won't be able to 'simply' modify it. On the other hand, you will be able to wipe the hard drive and make a Trusted Linux Kiosk certified by you.

> Under such a Trust system much software will only run on a certified and unmodified Trusted Linux,

An application vendor who wishes their software to only run on a TPM machiene will have to weigh the pros and cons of the market. They may find that very few Linux users will want to run in TPM mode, using only certified (read expensive) software.

> varius files will only be readable on a certified and unmodified Trusted Linux,

Again, this requires application support. Don't buy applications that use TPM if you don't want to. And those GPL programs that do use TPM, you can just comment out a few lines and recompile for your system.

> various websites and other network protocals will not work if you do not have a certified and unmodified Trusted Linux.

Here's how that would work: Microsoft releases Windows Trusted 1.0. The website requests a (signed) checksum of all running software on the machiene. The website has a list of all valid checksums (program x running, program y running, program x + program y running). If your checksum isn't on the list, they complain and don't let you in.

But then Microsoft releases Windows Trusted 1.1 and 1.1a hotfix and 2.0 and 3.11 and 6.9... Every website will have to keep up with *all* the valid checksums for all possible combinations of software, or risk ire from their users. Suddenly, it's a full-time job because the list of good checksums will explode combinatorially. And anytime a flaw is discovered, the checksum has to be taken off the list.

Banks would love to use this, but they will find it unworkable. It certifies the computer software, but not the user. And a 'certified' executable with a remote buffer exploit is still a 'certified' program until it's taken off the list. Oops.

Corporations will use this to prevent bad stuff running on their corporate laptops, and to certify that everything is still ok when they dial-in.

Linux will support TPM as an additional (optional) security module. It's about as dangerous as SELinux.

OLS: Linux and trusted computing

Posted Nov 21, 2007 21:16 UTC (Wed) by toad (guest, #49198) [Link] 

So what you're saying is Trusted Network Connect is harmless because it's impractical. And
then you're saying that corporations will be able to make it work anyway. Contradiction!
Clearly Microsoft will maintain the list of allowed hashes, or get an impartial industry body
to do it for them. If TNC doesn't work then MS has spent many many years on this for no
purpose: they will make it work. How? By only certifying core parts of the system, which
include the anti-malware system, which does the rest. The list of allowed hashes won't be that
big anyway, because they'll require you install the latest security patch within a short
period of its being released - immediately if it's not too intrusive. And then we'll be one
big happy family, with your user-modified linux PC not able to connect to your bank, your
hardware retailers of choice, your webmail provider, and eventually the internet itself. And
of course, China will love it: total control of cyberspace, once and for all! It might even
bring them back to Microsoft, but more likely they'll grow their own.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds