On Mon, Sep 21, 2009 at 05:32:07PM +0200, Michal Suchanek wrote: > 2009/9/21 Sam Mason <[email protected]>: > > Yup, I wasn't trying to protect against the admin. Just noting that it > > will help to tell them when things are getting out of date. > > You can send them an email or show a warning message on the terminal > until they upgrade without any need for TPM.
Yes, the machines could be blocked from the network and the admin emailed. > > But you can't be sure that a remote attacker hasn't put a rootkit in > > somewhere. AFAIU, TPM should allow you to detect this. > > As should any other comparison with previous checksums which can be, > for example, stored on a readonly boot media together with a > bootloader that checks them. There are a boatload of attacks against this aren't there? If it's just a checksum, the attacker can remember the checksum from before and send it back every time. It could also simulate the entire machine and insert bad data when it wants. > > I'd agree, I'm struggling to think of any use cases outside of high > > assurance that would want anything to do with TPM. > > It doesn't give high assurance. It only gives assurance in combination > with physical security in which case it is just one of many options, > and not particularly appealing. Physical security does nothing about remote/software attacks though. > You have to rely on the TPM > manufacturer quite a bit because the devices come as blackboxes with > unknown internals. Yes, but they're implementing a public spec and the economic incentives all seem to be pointing the right way with this. If the manufacturer screws up their implementation they're going to look bad to the people who matter. > Then netboot the machines. No need for reimaging and users staring at > broken machines. An attacker can modify the bios so that it points to somewhere it controls. Again, this isn't for normal PCs. > The TPM specification was developed for drm although it allows other > uses. Huh. I thought it was developed for other things, but my memory seems to have got that wrong. All references I can see to it are from media driven interest groups. Sorry about that! -- Sam http://samason.me.uk/
