bit-tech.net

Gigabyte TPM Explained

Gigabyte TPM Explained

TPM - still to be feared?

There has been a lot of FUD about TPM devises previously, but we're going to try and iron out some of the crap misconceptions from what it actually does.

First of all - it will NOT lock down your PC, it will NOT lock your hardware to your software, it will NOT record any personal data and it will NOT limit the software/hardware use to "authorised devises/applications" only. (At least, in this instance; Gigabyte was very insistent that its product was for the benefit of the user).

Gigabyte is working with Infineon to provide a secure sector(s) of a hard drive(s) that is locked down by a personal key. You can have multiple keys and multiple partitions on the same drive and removing the drive from the case renders that information hidden and encrypted until it gets the key again.

The latest generation stores the Primary and User key on the drive and the TPM devise - it used to be just the drive only, but if the drive got bad sectors of the key corrupted that was your secure data access completely lost. You can either make a section of a current drive or an entire drive encrypted and thanks to Gigabyte's SATA to eSATA PCI brackets that connect direct to the ICH10R can even be an external drive making it easier to take with you. Flashing the BIOS also doesn't affect it because the TPM data is kept encrypted in a different sector on the back-up BIOS only.

Gigabyte also include an optional install called "Ultra TPM", this, Gigabyte claims, adds an extra level of security and convenience by allowing a USB key to be encrypted and the key copied to there as well. This means that you have an extra backup of the key if your entire PC dies in a catastrophic failure (although, not your hard drive we assume), and you can use the USB key like an actual physical key - where by plugging it in it instantly allows access to the corresponding encrypted data without having to re-input your private key.

Gigabyte's argument for this is "You wouldn't leave your car keys in the car", however we also see many security vulnrabilities - if your keys and notebook are both in your briefcase/bag and that's stolen, someone doesn't need to get the key out of you, and in cases of industrial espionage where someone only has to steal your keys to get access to your work PC without you being there.

We suggested that uploading the key to a secure online server would be good, because if someone hacked the server for a passkey, they'll still need access to the machine itself and keeping it online in a secure FTP gives you an access anywhere off-site backup. If they are already determined to hack the FTP for the passcode, they are already determined enough to just hacking the client machine directly anyway.

Still scared that TPM will end the world? Let us know your concerns in the forums.

13 Comments

Discuss in the forums Reply
amacieli 6th June 2008, 16:00 Quote
<grammar nerd>
device not devise.
gigabyte is singular, so "gigabyte includes..." not "gigabyte include..."
</grammar nerd>
<tpm>
actually seems like a good bit of tech - any advantages of this over vista ultimate's bitlocker, or pgp whole disk encryption?
</tpm>
steveo_mcg 6th June 2008, 16:39 Quote
Is it basically an actual random number generator?
leexgx 6th June 2008, 17:43 Quote
it stores the keys basically
Phil Rhodes 6th June 2008, 21:40 Quote
Lots of words about how good it will be for me.

Absolutely no information whatever on what it will actually do for me.

Trusted by who?

P
Lazarus Dark 7th June 2008, 00:13 Quote
Quote:
Originally Posted by Phil Rhodes
Trusted by who?


people who need to protect data can do so. Everyone else doesn't need this. I don't need this. I don't want this.
Fud or not, I don't like it's implications. Yes, I am a paranoid person, so what. Why do people need so badly to control MY information. I can handle it just fine on my own.
Max Spain 7th June 2008, 06:53 Quote
Q: What kind of data security framework needs a globally unique id embedded into every system.

A: One that needs to uniquely identify each system and selectively apply policies on a per system basis.

The problem with TPM's is that the owner isn't given control over them. This is all done with the goal of transforming our "Personal Computers" into "Subscriber Units" (think game consoles). TPM's in their current incarnation are essentially someone else's hardware in your computer. They have tremendous privacy implications revolving around a unique Endorsement Key that is issued by a "certification authority" and stored in the TPM by the manufacturer. As far as I am aware every other feature present in TPM's are ambiguous meaning that they can be used to enhance the user's wishes or to go against them. Even Remote Attestation can be useful if the owner is in control.

But don't take my word for it (as a faceless person on the intarweb) or someone else's who stands to profit form this. Get it from the source:
https://www.trustedcomputinggroup.org/specs/TPM/
https://www.trustedcomputinggroup.org/groups/TCG_1_4_Architecture_Overview.pdf
This next one is a VERY easy and quick read:
https://www.trustedcomputinggroup.org/groups/tpm/TPM_1_2_Changes_final.pdf
Smegwarrior 7th June 2008, 13:21 Quote
This sounds like what I read about in a book called Net Spies (non-fiction about internet privacy), the governments of the USA, Canada, UK, Australia and New Zealand (members of Echelon) all want free access to all of our personal information and are against encryption but know they will never stop us using encryption.

So they have devised a way around it, their plan is they 'let us' use encryption but it has to have a key that is held by a 'trusted third party' who will 'only make it available to law enforcement under court order' and that it is all with the intention of 'protecting us from terrorism and other crimes' and not about 'invading our privacy'. :|

The US government listed 128 bit encryption on ITAR (International Trade in Arms Regulation) as a munition and made it illegal to export it from the USA.

Somebody had an encryption program (128 bit) written in Python or C+ that was about 3 lines long tattooed on their arm along with a message about it being illegal to export it (and thereby themselves) from the US as a protest ;) and got into a bit of trouble over it.

This is in contrast to the European Union countries where the governments there advocate personal privacy as utterly important and enact laws to ensure peoples privacy is not invaded and also encourage the use of encryption, preferably 128 bit or better.


Ah yes, western countries, the only countries in the world that are 'truly free' of oppression.
impar 7th June 2008, 22:19 Quote
Greetings!
Quote:
Originally Posted by Max Spain
This is all done with the goal of transforming our "Personal Computers" into "Subscriber Units"...
Short and to the point. ;)
Bluephoenix 8th June 2008, 18:26 Quote
problem with TPM is its easy to break and get the key.

simple Firewire DMA trick will do it.
Kipman725 9th June 2008, 01:26 Quote
TPM will lock down your pc and turn it into an internet apliance for consumption of media like a grazing cow simply because it gives the ability for that to be implimented. TPM is govenment key escrow by proxy and I cannot state strongly enough that it's useless to anyone but the DRM industry and oppresive govenments (sadley by the backing of the majority of the populous almost all).
outlawaol 9th June 2008, 17:10 Quote
With a free computer and free internet connection (free as in, your control), anyone with half a brain can gain access to any media they can think of. And I really think this technology is a stepping stone to other more devious intentions of media control. Virtually any created media is costing something to someone. From the various ad's on this very site to the multi million dollar movies. And what the people, that are making it or advocating 'pay-per-view', are trying to do is stop the distribution of there 'hard works'. People want restitution for what they do.

The internet and computing the only way we have known it is going to change. And it isnt looking like the basic costs anymore of doing it. So be sure to keep your old hardware, only way to stay off the 'list'.
Max Spain 10th June 2008, 05:44 Quote
Quote:
Originally Posted by impar
Greetings!
Short and to the point. ;)
Thanks, but since I didn't come up with that name, I'll give credit where it is due.
Quote:
Originally Posted by Bluephoenix
problem with TPM is its easy to break and get the key.

simple Firewire DMA trick will do it.

Unfortunately no. The TPM will ONLY release data that is encrypted or the public halves of asymmetric keys. This is in one of the docs I linked to. Even if you use the Firewire DMA trick, you'll still have to break the encryption. Keep in mind that the people designing these are the people who build our hardware. They have implemented PVP-UAB (encrypting data across the PCI-Express bus) as well as the NX bit and memory partitioning (virtualization.) The next upgrade is secure I/O.

While I will be the first to agree that hardware assisted virtualization is a useful tool, I wonder if we would've ever seen it (and if so, how much longer would it have taken) if it wasn't for Trusted Computing :(
impar 20th June 2008, 18:30 Quote
Greetings!

Check video:
http://www.lafkon.net/tc/
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums