<br><br><div class="gmail_quote">On Tue, Dec 28, 2010 at 11:03 AM, Michael H. Warfield <span dir="ltr"><<a href="mailto:mhw@wittsend.com">mhw@wittsend.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<br>
<br>
Another example of a SmartCard like device that is present in many of<br>
our laptops is the TPM (Trusted Processing Module) chip. Under Linux,<br>
this is managed by the Trousers package and utilities and includes a<br>
PKCS11 interface. You can store RSA keys for various things in the TPM<br>
module using Trousers along with the Mozilla NSS subsystem. Some people<br>
don't like enabling the TPM module out of objection to it's original<br>
stated purposes of enabling hardware DRM and system tracking but nobody<br>
has deployed any TPM based hardware DRM to date and why waste a<br>
perfectly good RSA crypto engine already present in your system?<br>
<div class="im"><br clear="all"></div></blockquote></div><br>One of my co-workers went to a tpm workshop and gave us a presentation on what he learned. TPM capabilities, while they are defeatable, are a huge step forward in trusting the actual hardware/software combo the system is running on. It is possible to craft a configuration that will ONLY work with all of the designed pieces intact and no extras inserted. This means a known-good kernel, bios, cpu, ram, hard drive, empty optical drive, etc are all required before the hard drive is unlocked. If anything is different, after a certain number of attempts the drive unlock key is burned as well as the bios. Thus the laptop is useless without a cleanroom to pull apart the hard drive. Make it a SSD and it gets much harder to extract info from the drive with a burned out unlock key.<br>
<br>We played a thought game that involved a custom linux bios and concluded we could possible bypass the bios lock if we know what the reported checksum on bios config was supposed to be.<br>-- <br>-- <br>James P. Kinney III<br>
I would rather stumble along in freedom than walk effortlessly in chains.<br><br><br>