Garrett: A short introduction to TPMs

[Posted May 7, 2013 by corbet]

Matthew Garrett has posted an introduction to the trusted platform module (TPM) chip and what can be done with it. "I've been working on TPMs lately. It turns out that they're moderately awful, but what's significantly more awful is basically all the existing documentation. So here's some of what I've learned, presented in the hope that it saves someone else some amount of misery."

Garrett: A short introduction to TPMs

Posted May 8, 2013 4:45 UTC (Wed) by cmrx64 (guest, #89304) [Link] (1 responses)

It seems he gets stuck doing all the miserable things nobody else wants to do.

He's a good sport about it though. Must be lots of alcohol involved.

Garrett: A short introduction to TPMs

Posted May 14, 2013 14:11 UTC (Tue) by ortalo (guest, #4654) [Link]

And a pretty nice amount of good will from him too.

Now that he has looked at TPM, I'd really like him to give a hand at smartcards and their usage in Linux for authentication. Especially the OpenPGP card. Especially him and one of these cards for securing the system boot process (on a physically controlled computer). Wow, it would make such an informed comparison of techniques...

I know I am abusing. (Should good will be abused? On the contrary of alcohol...) However, I would happily share a few good additional bottles of wine in case there's a need, possibly even complemented by the solid substances needed to support it. (But I am living in a region that usually makes such offers noteworthy.)

So few TPM users

Posted May 8, 2013 10:38 UTC (Wed) by kbengston (guest, #6153) [Link] (5 responses)

With such limited uptake of the technology after so many years, I wonder why TPM chips haven't been cost-reduced out of our PCs yet?

So few TPM users

Posted May 8, 2013 10:49 UTC (Wed) by lindi (subscriber, #53135) [Link]

Most consumer gear does not have a TPM. On professional laptops it is widely used for Windows bitlocker disk encryption afaik.

So few TPM users

Posted May 8, 2013 20:59 UTC (Wed) by rahvin (guest, #16953) [Link] (2 responses)

It's widely available in corporate laptops/computers. I believe a significant portion of the Fortune 500 use them for drive encryption of important and sensitive data. I believe it's pretty well required for compliance with HIPPA so most medical institutions are required to use it. The claimed features could be pretty handy, but I think part of what keeps them out of use is the absolutely horrible software. Honestly the manufacturers should open source the specs and interfaces, it would probably result in more sales and use of the technology.

So few TPM users

Posted May 8, 2013 22:16 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link]

TPM specs are actually open. It's just that using them is not that trivial and easy to get wrong.

I've used them in past (in medical industry) for remote attestation on trusted boots to make sure that servers are physically secure.

So few TPM users

Posted May 8, 2013 22:17 UTC (Wed) by luto (guest, #39314) [Link]

The relevant data is freely available. I've used it, and it's actually not completely awful. What is rather awful is the officially sanctioned API between the various components of the software stack (e.g. TSPI). What's even worse is the undocumented TCP-based protocol that client software uses to talk to the trousers daemon.

The ChromeOS people have a project called "trunks" that's rather special-purpose but avoids relying on trousers.

Shameless plug: My tpmkey project has been languishing. Eventually I'll spruce it up and make it awesome. Anyone want to help?

So few TPM users

Posted May 16, 2013 12:10 UTC (Thu) by phred14 (guest, #60633) [Link]

I've been thinking of building a new computer this fall, and one of the candidate mobos by Asus has a TPM option for about $20. The last several corporate laptops I've had have had TPMs.

I've been interested for some time now about actually using one of these TPMs for my own security purposes. One of these days, maybe...