David G. Koontz writes: > There are third party TPM modules, which could allow some degree of > standardization: > > http://www.ieiworld.com/en/news_content.asp?id=erbium/projectOBJ00244201&news_cate=News&news_sub_cate=Product > > The IEI TPM module is used in their own motherboards and some VIA > motherboards. They actively market the pluggable modules. Thinkpads > appear to use a different connector: > https://www.cosic.esat.kuleuven.be/publications/article-591.pdf > 30 pins instead of 20 pins.
It seems odd for the TPM of all devices to be put on a pluggable module as shown here. The whole point of the chip is to be bound tightly to the motherboard and to observe the boot and initial program load sequence. Any steps to decouple the TPM and facilitate separating it from a motherboard will only make attacks on its security model easier and make the chip less useful for its stated purpose. The idea of putting a TPM on a smart card or other removable device is even more questionable from this perspective. A TPM which communicates via an easily accessible and tamperable bus is almost useless for the security concepts behind the Trusted Computing Group architecture. (The exception might be if there were additional hardware to encrypt the bus, but that is not part of the standard spec.) The other direction that has been mentioned, putting the TPM onto the CPU die, would make more sense for security, but I don't know of any chips that actually do that. However with the future trend towards increased CPU parallelism and addition of extra cores for additional functionality, it would seem to be a natural extension, if TPMs catch on. I tried hunting through the TCG specs to see if they say anything about this, but it's a maze. Eventually there is supposed to be a Platform Conformance Credential which certifies that a particular platform (e.g. motherboard + associated chips) satisfies some criteria and has gone through a certification process. But I couldn't find anything specific about what security features a "trusted platform" is supposed to have. The "TPM Design Principles" doc says: https://www.trustedcomputinggroup.org/specs/TPM/Main_Part1_Rev94.zip > 11.2 RTR to Platform Binding > > Start of informative comment > > When performing validation of the EK and the platform the challenger > wishes to have knowledge of the binding of RTR to platform. The RTR > is bound to a TPM hence if the platform can show the binding of TPM > to platform the challenger can reasonably believe the RTR and platform > binding. The TPM cannot provide all of the information necessary for > the challenger to trust in the binding. That information comes from the > manufacturing process and occurs outside the control of the TPM. > > End of informative comment > > 1. The EK is transitively bound to the Platform via the TPM as follows: > a. An EK is bound to one and only one TPM (i.e., there is a one to one > correspondence between an Endorsement Key and a TPM.) > b. A TPM is bound to one and only one Platform. (i.e., there is a one > to one correspondence between a TPM and a Platform.) > c. Therefore, an EK is bound to a Platform. (i.e., there is a one to > one correspondence between an Endorsement Key and a Platform.) Here, the RTR is the Root of Trust for Reporting, aka the on-chip Endorsement Key (EK) which the TPM uses to sign platform and software configuration info as part of its Remote Attestation capability. This text would seem to argue against a removable TPM. Here's a quote from one of the PC-related specs: https://www.trustedcomputinggroup.org/specs/PCClient/TCG_PCClientImplementationforBIOS_1-20_1-00.pdf > 22.214.171.124.2 Binding Methods > Start of informative comment > > The method of binding the TPM to the motherboard is an architectural and > design decision made by the respective manufacturer and is not specified > here. There are two types of binding: physical and logical. Physical > binding relies on hardware techniques while logical binding relies on > cryptographic techniques. The nature and strength of each method is > defined by the TPM's or the Platform's Protection Profile. > > Example: > > The TPM is a physical chip soldered to the Host Platform. Here the > Endorsement Key is physically bound to the TPM (it's inside it) and the > TPM is physically bound to the Host Platform by the solder. The required > strength of each binding is determined by the Protection Profile. > > End of informative comment So this would allow a removable TPM but it has to be "logically" bound to the motherboard via cryptography, presumably something like an encrypted bus. As Peter Gutmann noted, most TPM systems are relatively expensive business laptops where the chip is sold as a security chip, although in practice it doesn't do much. Possibly with Vista's BitLocker disk encryption we will see more use of TPMs. I saw the other day that Microsoft was about to make BitLocker available to home users (it's only in the high-end Vistas now) but changed their mind at the last minute. Hal Finney --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]