Trusting Trusted Computing

http://geekblog.oneandoneis2.org/index.php/2006/08/

Before I begin, because of the *vast* amount of misinformation that's being distributed about Trusted Computing, the first point I need to make is this:

Can the Trusted Platform Module control what software runs?

No. There is no ability to do this. The subsystem can only act as a 'slave' to higher level services and applications by storing and reporting pre-runtime configuration information. Other applications determine what is done with this information. At no time can the TCG building blocks 'control' the system or report the status of applications that are running.

TC does not and will not prevent you from running or installing a new OS on your computer. You will still have the ability to use LiveCDs and install whatever new software you like on your computer.

Although some people try to make lots of noise about Microsoft being big TC players, it should not be forgotten that pro-Linux players such as HP and IBM are both also major TC members. Corporations don't make billion-dollar investments in software they're going to try, or permit others, to destroy. And before protestations are made about how MS isn't afraid to use its resources to sway initiatives its own way, let's not forget that IBM does in fact have more money than MS.

So with that out of the way, does TC bring benefits to Linux users?

Well, what does it actually DO?

TC is a fairly simple concept: It's a bit of hardware that stores encryption keys, passwords, and digital certificates. TC keeps cryptographic processing out of the CPU and RAM and keeps your keys off disk drives. It can be set to only allow specific software access to specific keys.

That's it. That's all it does. It puts encryption outside the OS so that it can't be stolen by a cracker who's gained remote access to your PC.
So if you use GPG to digitally sign your email and you don't like the fact that your private key lives on your hard drive (in which case you're not security-conscious enough to care) or on an easily lost or stolen flash drive, TC will free you from this concern: You can place your GPG key onto your PC's TC module and then shred your flash drive and cease worrying about it. Your key is safe in a little chip on your motherboard where even the OS can't get to it unless you authorize it to.

All innocuous enough. So why did TC get such a bad reputation?

Because although TC isn't going to stop you doing anything, an Operating System can: People are paranoid about what Windows+TC might mean. And that's fair enough and a valid worry, but as I said in my previous post: The right tool for the right job. TC isn't inherently bad, and if Windows makes it so then the problem is not with TC, it's with the software. Blame Microsoft, not TC.

Forget about what TC could mean in the wrong hands, and think about what it can do in your hands.
And essentially, when you're running a FOSS operating system, what it can do is "As much or as little as you want it to" - and that's the long and the short of it. TC is like a firewall: It can be a PITA if somebody else maintains a firewall between you and the Web (Like they usually do at work), but the firewall on your own PC is nothing but a good thing, because *you* control what it does and doesn't get involved with.

The Linux kernel has had TC support since 2.6.12; Grub and Lilo both support TC, and even the OpenBIOS project is TC-enabled. So you can have a play with it today, if you've got the right hardware - and most modern laptops do.

So let's get down to the thing that prompted this whole post: Concern about a Tivo-like embargo on non-signed software.

The key difference between a Tivo and a TC PC is that Tivo only permits software signed with its own keys to run. On a TCPC, it would be your choice as to what keys were admissable.

Take the example I used in that post: A Linux distro that signs all its official software. You'd have a number of choices, all depending on how secure you wanted to be:

· You could ignore the whole thing and simply turn TC off. You'd be running like you are today. No difference.

· You could set the PC so it will permit two types of software: Software signed by the distro, and software signed with your own key. You could install any software you liked, but nobody else could install anything. Your PC is exactly like it is today, but more secure because it cannot run unauthorized software.

· You could set the PC so that it only runs the distro's signed software. You'd be more secure than you are today, but you'd be more limited on what software you can run. Probably only of interest to corporations.

· You could set the PC so it only runs software signed with your own key. Useful for paranoid home users, but more for servers and the like, which are constantly exposed to the world and relatively rarely need new software installed.

In the end, the key point is that whilst only allowing signed binaries to run restricts the ability to run software, it's up to you, the PC owner, what signatures to accept or not. A Linux PC with TC installed does not stop you from running anything unless you want it to, any more than a firewall stops you running SSH unless you want it to. You can set your TCPC to only run distro-approved packages, you can set it to run you-approved pacakges. You could even set up a web-of-trust such as GPG keys have and set your PC to run any software with a level of trust higher than a certain threshold.

What TC can't do is stop you running software that you want to run. An unscrupulous OS could misuse it to do so, but let's face it, it could do that pretty well today if it wanted to. There's a reason why MS had to improve IE rather than simply setting Windows to refuse to install Firefox.

They could have done it, don't ever believe that they couldn't. They'd just have been slammed into courtrooms all around the world so fast it would have made Steve Ballmer too dizzy to aim his chair. Just because it's possible doesn't mean that it's going to happen.

And take all the "unbreakable DRM" cries with a pinch of salt: There's a big difference between TC and DRM. TC trusts the computer owner and distrusts the software. DRM distrusts the computer owner. The TC rebuttal is well worth a read if you think TC=DRM. Or just bear in mind that TC is nothing more or less than encryption: It doesn't create any real new potential for misuse than isn't already present with projects like GPG and TrueCrypt.

TC is not all roses - some of the theoretical uses for it are fairly worrying. But the same goes for any technology. Before the Internet, music piracy was of little concern to the RIAA and most people had never even heard of child pornography.

But you can't ban the misuse without banning the use, and the scary TC uses are no more a reason to ban TC than MP3 sharing is a reason to ban the Internet.