Free Rootkit with Every New Intel Machine

David G. Koontz david_koontz at xtra.co.nz
Tue Jun 26 01:11:34 EDT 2007 

Peter Gutmann wrote:
> "David G. Koontz" <david_koontz at xtra.co.nz> writes:
> 
>> There are third party TPM modules, which could allow some degree of
>> standardization:
> 
> As I said in my previous message, just because they exist doesn't mean they'll
> do anything if you plug them into a MB with the necessary header (assuming you
> have a MB with the header, and it's physically compatible, and electrically
> compatible, and the BIOS is compatible, and ...).
> 
> Which MBs have you plugged one of these TPMs into and had it work?

I don't have the luxury of buying tchotchkes to prove a point.  (Ya,
I have no use for this stuff either).  In view of Peters insistence it
was worth looking harder.

I picked on one motherboard, a Gigabyte GA-P3-DQ6 which has the 20 pin
header for the IEI TPM pluggable. After an extensive investigation I
found no direct evidence you can actually do as Peter states and roll
your own building a TPM enabled system. That includes downloading the
BIOS and trying to search it.  Found evidence of a TPM driver, no hard
proof though.  Why the emphasis on doing this as an end user anyway?
Heck you should have seen how hard it was to get DVDs to work with
Windows98 on an Intel D815 motherboard as an end user.  If took the same
level of investigation, and I still got lucky.  The information
necessary is available to OEMs, not generally end users.  Looking across
various vendors motherboards you see statements in the specifications
stating TPM v1.2 support which I'd be inclined to think means BIOS
support.

I looked for mention of the IEI motherboards, and found distributors, no
mention of anyone actually using them other than for industrial use.
The Fujitsu-Siemens motherboards with TPM were similarly for industrial
use.  The idea of system integrity makes sense for say industrial
robotics.  Wonder if someone thought of using ECC memory?

I found a Foxconn motherboard with the same 20 pin connector.  Didn't
find it on their G33 motherboard (Bearlake).  There was no mention of
TPM support in any documentation for the G33 board.  I downloaded the
BIOS for the board with the connector, de-lharc'd it and searched for
strings indicating TPM support.  Didn't find any references at all.  It
appears to be an older Phoenix BIOS.   Same story for Peter - no proof
you could actually use it, worse still, nothing in the BIOS.

I found a Supermicro C2SBA mother board (another G33 Bearlake) that you
can buy today.  TPM enabled, theres a jumper described in the manual to
enable TPM, which allows the BIOS page for it to show up.  Sounds like
solid support.  The manual only has the topside layout.  The jumper is
near the system front edge, and the closest silicon is the ICH9
Southbridge.  Note that the LPC bus is on the Southbridge anyway and
would interconnect to a TPM chip (as well as BIOS FLASH/ROM), There's a
candidate chip near the front panel stuff not to close to the BIOS chip,
I couldn't find a high enough resolution photo to read the label.  There
is no through hole connector footprint for an external TPM manual visible.

If I wanted to buy a TPM motherboard today, I could, a brand new one,
too.  The manual has pictures of the TPM pages in the BIOS console.  The
BIOS should work.  Around $164 in the U.S., real pretty too with all the
copper cooling on it.

Theres also indication of whitebox integrators using the intel
motherboards with TPM in-built.  No indications of volume, which is
probably the real question.


> 
>> TPM may well end up being present ubiquitously.
> 
> Smart cards may well end up being present ubiquitously.
> Hardware RNGs may well end up being present ubiquitously.
> NIC-based crypto may well end up being present ubiquitously.
> Biometric readers may well end up being present ubiquitously.
> Home taping is killing mus... oops, wrong list.
> 
> Been there, done that, got the tchotchkes to prove it.

> 
> I've seen zero evidence that TPMs are going to be anything other than a repeat
> of hardware RNGs, NIC-based crypto, biometric readers, and the pile of other
> failed hardware silver bullets that crop up every few years.  Wait a  year or
> two and there'll be some other magic gadget along to fix all our problems.

I found a FIPS 140-2 compliance statement from Phoenix dated July 2006,
that mentions all your silver bullets except the biometric readers and
encrypting NIC.

http://csrc.nist.gov/cryptval/140-1/140sp/140sp709.pdf

Someone doesn't think they are all relegated to tchotchkes, just yet. I
was surprised to hear Intels random number chip is still marketed, must
still be used in Type 1 COMSEC stuff.

There is indication that TPM is tied to fingerprint scanners on laptops,
they could be a passing fad.  It'd be nice to see someone demonstrating
spoofing one.

Found something else that supports Peters point of view.  Found a web
page claiming that Intels vPRO doesn't require a TPM chip.  It isn't
clear how closely aligned vPRO is to DMTF.  As far as TPM and DMTF, most
of the hits relating to the two can be traced back to the Trusted
Computing Group, which may be trying to find a reason d'etre for the
thing.  There's evidence the two organizations have collaborated on how
to use TPM.  Hard to find any evidence it resulted in anything.  Looking
through the DMTF stuff, I got the idea distributed management is taking
a pragmatic view, no required hoops to jump through.

It was amusing to read here that the TPM chips on Macs aren't used.

Peter could be right about the emperor not having any clothes.   I'll
offer him the TPM pluggable module out of my defunct Thinkpad for his
collection if he wants, I can easily send it to the North Island.  I
never used it.

I somehow don't see fingerprint scanners sufficient to drive the need.
The Phoenix compliance statement says crypto drivers lose FIPS 140-2
compliance when using TPM, due to using something beyond their
cryptographic boundary.  Doesn't seem to have a lot of other solid
redeeming features.

Does anyone know of any enterprise success stories using TPM?  Somebody
has to be actually using this stuff, even if we can't tell how much of it.




























---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list