On Tue, Dec 18, 2012 at 1:32 AM, Anders Rundgren <anders.rundg...@telia.com> wrote: > I have only one problem with TPM or TPM-like technology: the desire to > kill rooting will hamper development. Agreed (I hope it does not hamper development and mod'ing).
The SIM is a mini-HSM, and can probably be used as the basis for a trusted platform. So development should be available with the right architecture and a new SIM card :) I'm not sure what is easiest for CDMA (SIMs cover GSM networks). We are seeing SIM like features for CDMA phones, but I suspect its more a software abstraction coupled with a more versatile baseband processor. > IMO, it should be technically possible to root devices but data encrypted > by the original OS should be useless due to a changed encryption key. > The same should be valid for keys enrolled through the original OS. Under some Android phones I have, you can unlock the boot loader and it will wipe the device. For example, my EVO 4G. The same Android phones do *not* wipe data if the phone is re-SIM'd, though. > This is probably only feasible if the "TPM" is a part of the main CPU > which I also think is what is going to happen. I would expect to see it moved to the baseband processor, and not a general purpose CPU. What is Qualcomm doing in this area? Is anyone up to date? > The TPM enables organizations to *optionally* reject connecting devices > not running "legitimate" OSes. That's OK; they already do that to some > extent. > > Related: Microsoft's TPM-based VSD (Virtual Smart Card) scheme: > http://www.microsoft.com/en-us/download/details.aspx?id=29076 Ah, thanks. Jeff > On 2012-12-18 05:10, Jeffrey Walton wrote: >> http://www.networkworld.com/news/2012/121712-nist-tia-265172.html >> >> A mobile security technology proposal drafted by the National >> Institute of Standards and Technology (NIST) is being soundly rejected >> by one of the main trade groups representing a broad cross-section of >> industry. >> >> NIST's "Guidelines on Hardware-Rooted Security in Mobile Devices," >> issued in draft form in October and out for public comment until last >> Friday, has drawn sharp criticism from the Telecommunications Industry >> Association, which labeled NIST's proposal as "over-prescriptive" >> because it "suggests that security in mobile devices can only be >> realized using a specific architectural implementation of secure or >> trustworthy environment, namely the Trusted Platform Module (TPM) >> architecture specified by the Trusted Computing Group (TCG). >> >> TPM is "one way to implement security in mobile devices but it's isn't >> the only way," said Brian Scarpelli, senior manager of government >> affairs at Arlington, Va.-based TIA, adding that software-based >> security can also be relied on. He indicated the TIA membership of >> carriers and software vendors would prefer not to have to adhere to a >> specific implementation to meet new federal guidelines for mobile >> devices, and TIA is reaching out to NIST to voice its objections. TIA >> industry membership includes carriers such as Verizon Communications >> and Sprint Nextel, as well as Apple, Dell and Vare. >> >> The TPM specification from the TCG is a hardware-based >> cryptographic-processing technology that can be used for several >> security purposes, primarily device integrity. TPM is used in desktops >> and servers but not mobile devices at present. The National Security >> Agency, for example, which influences technology decisions made at the >> U.S. Department of Defense, has been an enthusiastic proponent of TPM. >> >> TPM exists in much internal computer hardware today, though it appears >> to suffer from lack of widespread deployment in part due to lack of >> applications making it easy to deploy. >> >> NIST argues for TPM by saying that "many mobile devices are not >> capable of providing strong security assurances to end users and >> organizations. Current mobile devices lack the hardware-based roots of >> trust that are increasingly built into laptops and other types of >> hosts." >> >> NIST says it wants to "accelerate industry efforts" to use >> hardware-rooted trust technologies, and specifically TPM, in mobile >> devices such as smartphones and tablets that the federal government >> would acquire. NIST criticizes today's mobile devices, saying they are >> "vulnerable to 'jailbreaking' and 'rooting,' which provide device >> owners with greater flexibility and control over the devices, but also >> bypass important security features which may introduce >> vulnerabilities." >> >> NIST asserts in its guidelines proposal that TPM and hardware-based >> root of trust is the model the federal government would like to see >> for use in assuring device integrity and verification, and that this >> would also help the government in adopting a bring-your-own-device >> approach where government employees could use their personally owned >> devices for work as well. >> ... -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to android-security-discuss@googlegroups.com. To unsubscribe from this group, send email to android-security-discuss+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
