Peter Gutmann wrote: > "David G. Koontz" <[EMAIL PROTECTED]> writes: > >> There are third party TPM modules, which could allow some degree of >> standardization: > > As I said in my previous message, just because they exist doesn't mean they'll > do anything if you plug them into a MB with the necessary header (assuming you > have a MB with the header, and it's physically compatible, and electrically > compatible, and the BIOS is compatible, and ...). > > Which MBs have you plugged one of these TPMs into and had it work?
I don't have the luxury of buying tchotchkes to prove a point. (Ya, I have no use for this stuff either). In view of Peters insistence it was worth looking harder. I picked on one motherboard, a Gigabyte GA-P3-DQ6 which has the 20 pin header for the IEI TPM pluggable. After an extensive investigation I found no direct evidence you can actually do as Peter states and roll your own building a TPM enabled system. That includes downloading the BIOS and trying to search it. Found evidence of a TPM driver, no hard proof though. Why the emphasis on doing this as an end user anyway? Heck you should have seen how hard it was to get DVDs to work with Windows98 on an Intel D815 motherboard as an end user. If took the same level of investigation, and I still got lucky. The information necessary is available to OEMs, not generally end users. Looking across various vendors motherboards you see statements in the specifications stating TPM v1.2 support which I'd be inclined to think means BIOS support. I looked for mention of the IEI motherboards, and found distributors, no mention of anyone actually using them other than for industrial use. The Fujitsu-Siemens motherboards with TPM were similarly for industrial use. The idea of system integrity makes sense for say industrial robotics. Wonder if someone thought of using ECC memory? I found a Foxconn motherboard with the same 20 pin connector. Didn't find it on their G33 motherboard (Bearlake). There was no mention of TPM support in any documentation for the G33 board. I downloaded the BIOS for the board with the connector, de-lharc'd it and searched for strings indicating TPM support. Didn't find any references at all. It appears to be an older Phoenix BIOS. Same story for Peter - no proof you could actually use it, worse still, nothing in the BIOS. I found a Supermicro C2SBA mother board (another G33 Bearlake) that you can buy today. TPM enabled, theres a jumper described in the manual to enable TPM, which allows the BIOS page for it to show up. Sounds like solid support. The manual only has the topside layout. The jumper is near the system front edge, and the closest silicon is the ICH9 Southbridge. Note that the LPC bus is on the Southbridge anyway and would interconnect to a TPM chip (as well as BIOS FLASH/ROM), There's a candidate chip near the front panel stuff not to close to the BIOS chip, I couldn't find a high enough resolution photo to read the label. There is no through hole connector footprint for an external TPM manual visible. If I wanted to buy a TPM motherboard today, I could, a brand new one, too. The manual has pictures of the TPM pages in the BIOS console. The BIOS should work. Around $164 in the U.S., real pretty too with all the copper cooling on it. Theres also indication of whitebox integrators using the intel motherboards with TPM in-built. No indications of volume, which is probably the real question. > >> TPM may well end up being present ubiquitously. > > Smart cards may well end up being present ubiquitously. > Hardware RNGs may well end up being present ubiquitously. > NIC-based crypto may well end up being present ubiquitously. > Biometric readers may well end up being present ubiquitously. > Home taping is killing mus... oops, wrong list. > > Been there, done that, got the tchotchkes to prove it. > > I've seen zero evidence that TPMs are going to be anything other than a repeat > of hardware RNGs, NIC-based crypto, biometric readers, and the pile of other > failed hardware silver bullets that crop up every few years. Wait a year or > two and there'll be some other magic gadget along to fix all our problems. I found a FIPS 140-2 compliance statement from Phoenix dated July 2006, that mentions all your silver bullets except the biometric readers and encrypting NIC. http://csrc.nist.gov/cryptval/140-1/140sp/140sp709.pdf Someone doesn't think they are all relegated to tchotchkes, just yet. I was surprised to hear Intels random number chip is still marketed, must still be used in Type 1 COMSEC stuff. There is indication that TPM is tied to fingerprint scanners on laptops, they could be a passing fad. It'd be nice to see someone demonstrating spoofing one. Found something else that supports Peters point of view. Found a web page claiming that Intels vPRO doesn't require a TPM chip. It isn't clear how closely aligned vPRO is to DMTF. As far as TPM and DMTF, most of the hits relating to the two can be traced back to the Trusted Computing Group, which may be trying to find a reason d'etre for the thing. There's evidence the two organizations have collaborated on how to use TPM. Hard to find any evidence it resulted in anything. Looking through the DMTF stuff, I got the idea distributed management is taking a pragmatic view, no required hoops to jump through. It was amusing to read here that the TPM chips on Macs aren't used. Peter could be right about the emperor not having any clothes. I'll offer him the TPM pluggable module out of my defunct Thinkpad for his collection if he wants, I can easily send it to the North Island. I never used it. I somehow don't see fingerprint scanners sufficient to drive the need. The Phoenix compliance statement says crypto drivers lose FIPS 140-2 compliance when using TPM, due to using something beyond their cryptographic boundary. Doesn't seem to have a lot of other solid redeeming features. Does anyone know of any enterprise success stories using TPM? Somebody has to be actually using this stuff, even if we can't tell how much of it. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]