Peter Gutmann wrote: > "Ian Farquhar (ifarquha)" <[EMAIL PROTECTED]> writes: > >> For example: the Gigabyte GA-965QM-DS2 (rev 2.0) which "features security >> enhancement by TPM". More common (ASUS, Foxconn) was the "TPM Connector", >> which seemed to be a hedged bet, by replacing the cost of the TPM chip with >> the cost of a socket. > > Those are actually misleading, since there's no certainty that you'll be able > to find anything that'll actually plug into them. That is, not only are the > TPM whatever-they-are-that-goes-there's almost impossible to find, but if you > do find one there's no guarantee that it'll actually work when plugged into > the header. In practice this is just a way of adding the "TPM" keyword to your > marketing without having to actually do anything except include a dummy header > on the MB.
There are third party TPM modules, which could allow some degree of standardization: http://www.ieiworld.com/en/news_content.asp?id=erbium/projectOBJ00244201&news_cate=News&news_sub_cate=Product The IEI TPM module is used in their own motherboards and some VIA motherboards. They actively market the pluggable modules. Thinkpads appear to use a different connector: https://www.cosic.esat.kuleuven.be/publications/article-591.pdf 30 pins instead of 20 pins. The Low Pin Count bus is an ISA bus replacement is specified as the TPM interface, and isn't defined for connector use, so a connector pin out isn't standardized. http://www.intel.com/design/chipsets/industry/25128901.pdf (the spec) > > (For people who don't work with the innards of PCs much, most motherboards > have assorted unused headers, sites for non-installed ICs, and so on, as a > standard part of the MB. The TPM header is just another one). > > Peter. > In addition to pluggable modules, TPM can also be an assembly bill of materials option, where you have a chip and a few passive components not stuffed for non-enterprise PCs or notebooks. The advantage of a pluggable module would be to allow late binding build configurations when you can't adequately forecast demands. Even the low costs of TPM hardware, patent licenses, BIOS licenses, etc., are probably enough to prevent blanket inclusion in personal computers not intended for enterprise use today. TPM can also be built into chip sets like Intels Bearlake, which removes the hardware cost. TPM may well end up being present ubiquitously. One of the driving forces for TPM adoption going forward will be enterprise remote or "distributed" management. http://www.dmtf.org/home Doing distributed management with TPM allows some degree of security that would otherwise be missing. Distributed management is the purpose of Intels vPro and iAMT initiatives. Note that the distributed management push is relatively recent, going mainline in the last year or so and may signal an upcoming acceleration in TPM adoption. Also of note is that the membership list for the Distributed Management Task Force contains most of the big name PC sellers. Distributed management can be OS 'gnostic, the driving need is the ability to handle large volumes of software updates and security patches. While some OS's require large volumes of security patches, others are evolving fast enough to require automated updates. We're pretty much guaranteed to see see enterprise adoption across all platforms. Linux supports TPM devices directly, as will Solaris. Apple (mis)uses TPM to unsuccessfully prevent OS X from running on non-Apple Hardware. All Apple on Intel machines have TPM, that's what 6 percent of new PCs? There is a virtual TPM in Xen, IBM would tell you that you can't operate a trusted computer with out a security server for providing virtual TPM storage. They're willing to sell you one and Microsoft doesn't want you to operate Vista virtually without a trustworthy Trusted Platform Module. It may be inappropriate to build a system with absolute trust in TPM to protect "intellectual property". There are other architectures that can do better, say a blade server running a virtual copy of an OS. The element providing greater security is removing the potentially malicious end-user from physical access, and not allowing access beyond the virtual machine. Thin clients and web applications come to mind for protecting corporate secrets, too. TPM is predicated on the notion that the corporate universe is comprised of fully capable computers. The idea for Trusted Computing comes mainly from hardware vendors, so the bias isn't surprising. No one likes the idea of TPM on their personal machines,it's really driven by enterprise needs, although you could imagine a market for a service intended to keep your personal Windows PC updated. There can be useful side effects to having TPM on personal computers. TPM could provide secure storage for keys to software or hardware encrypted disk drives, the alternative might imply uncovering the equivalent of master keys over questionable channels during boot up. Secure Disks with hardware encryption may have little or no cost penalty and Linux/BSD/Solaris, etc., will accommodate them at some point. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]