Free Rootkit with Every New Intel Machine

Hal Finney hal at finney.org
Mon Jun 25 12:33:21 EDT 2007 

David G. Koontz writes:
> There are third party TPM modules, which could allow some degree of
> standardization:
>
> http://www.ieiworld.com/en/news_content.asp?id=erbium/projectOBJ00244201&news_cate=News&news_sub_cate=Product
>
> The IEI TPM module is used in their own motherboards and some VIA
> motherboards.  They actively market the pluggable modules.  Thinkpads
> appear to use a different connector:
> https://www.cosic.esat.kuleuven.be/publications/article-591.pdf
> 30 pins instead of 20 pins.

It seems odd for the TPM of all devices to be put on a pluggable module
as shown here.  The whole point of the chip is to be bound tightly
to the motherboard and to observe the boot and initial program load
sequence.  Any steps to decouple the TPM and facilitate separating it
from a motherboard will only make attacks on its security model easier
and make the chip less useful for its stated purpose.

The idea of putting a TPM on a smart card or other removable device is
even more questionable from this perspective.  A TPM which communicates
via an easily accessible and tamperable bus is almost useless for the
security concepts behind the Trusted Computing Group architecture.  (The
exception might be if there were additional hardware to encrypt the bus,
but that is not part of the standard spec.)

The other direction that has been mentioned, putting the TPM onto the CPU
die, would make more sense for security, but I don't know of any chips
that actually do that.  However with the future trend towards increased
CPU parallelism and addition of extra cores for additional functionality,
it would seem to be a natural extension, if TPMs catch on.

I tried hunting through the TCG specs to see if they say anything about
this, but it's a maze.  Eventually there is supposed to be a Platform
Conformance Credential which certifies that a particular platform (e.g.
motherboard + associated chips) satisfies some criteria and has gone
through a certification process.  But I couldn't find anything specific
about what security features a "trusted platform" is supposed to have.

The "TPM Design Principles" doc says:

https://www.trustedcomputinggroup.org/specs/TPM/Main_Part1_Rev94.zip

> 11.2       RTR to Platform Binding
>
> Start of informative comment
>
> When performing validation of the EK and the platform the challenger
> wishes to have knowledge of the binding of RTR to platform. The RTR
> is bound to a TPM hence if the platform can show the binding of TPM
> to platform the challenger can reasonably believe the RTR and platform
> binding.  The TPM cannot provide all of the information necessary for
> the challenger to trust in the binding. That information comes from the
> manufacturing process and occurs outside the control of the TPM.
>
> End of informative comment
>
> 1. The EK is transitively bound to the Platform via the TPM as follows:
> a. An EK is bound to one and only one TPM (i.e., there is a one to one
> correspondence between an Endorsement Key and a TPM.)
> b. A TPM is bound to one and only one Platform. (i.e., there is a one
> to one correspondence between a TPM and a Platform.)
> c. Therefore, an EK is bound to a Platform. (i.e., there is a one to
> one correspondence between an Endorsement Key and a Platform.)

Here, the RTR is the Root of Trust for Reporting, aka the on-chip
Endorsement Key (EK) which the TPM uses to sign platform and software
configuration info as part of its Remote Attestation capability.
This text would seem to argue against a removable TPM.

Here's a quote from one of the PC-related specs:

https://www.trustedcomputinggroup.org/specs/PCClient/TCG_PCClientImplementationforBIOS_1-20_1-00.pdf

> 1.2.12.1.2   Binding Methods
> Start of informative comment
>
> The method of binding the TPM to the motherboard is an architectural and
> design decision made by the respective manufacturer and is not specified
> here. There are two types of binding: physical and logical. Physical
> binding relies on hardware techniques while logical binding relies on
> cryptographic techniques. The nature and strength of each method is
> defined by the TPM's or the Platform's Protection Profile.
>
> Example:
>
> The TPM is a physical chip soldered to the Host Platform. Here the
> Endorsement Key is physically bound to the TPM (it's inside it) and the
> TPM is physically bound to the Host Platform by the solder. The required
> strength of each binding is determined by the Protection Profile.
>
> End of informative comment

So this would allow a removable TPM but it has to be "logically" bound
to the motherboard via cryptography, presumably something like an
encrypted bus.

As Peter Gutmann noted, most TPM systems are relatively expensive business
laptops where the chip is sold as a security chip, although in practice
it doesn't do much.  Possibly with Vista's BitLocker disk encryption we
will see more use of TPMs.  I saw the other day that Microsoft was about
to make BitLocker available to home users (it's only in the high-end
Vistas now) but changed their mind at the last minute.

Hal Finney

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list