Why shouldn't Apple use Trusted Computing?

| Comments (7) | TrackBacks (21) |
Over at BoingBoing, Cory Doctorow is flipping out over the discovery that the new OS/X kernel seems to depend on TCPA.
Here's the important part though: when I use apps that aren't free, like Apple's Mail.app, BBEdit, NetNewsWire, etc, I do so comfortable in the fact that they save their data-files in free formats, open file-formats that can be read by free or proprietary applications. That means that I always retain the power to switch apps when I need to. That means that if the vendor changes their policy in a way that is incongruent with my needs, or if they go out of business, or if they treat me badly, I can always go across the street to another vendor, or to a free software project, and switch. This acts as a check against abusive behavior on the vendors' part and it is, I believe, partly responsible for the quality and pricing of their offerings.

...

What this means is that "open formats" is no longer meaningful. An application can write documents in "open formats" but use Trusted Computing to prevent competing applications from reading them. Apple may never implement this in their own apps (though I'll be shocked silly if it isn't used in iTunes and the DVD player), but Trusted Computing in the kernel is like a rifle on the mantelpiece: if it's present in act one, it'll go off by act three.

...

Yeah, yeah, DRM sucks, but all this angst seems rather overwrought. Consider what we know so far: you won't be able to run MacOS/X on hardware that doesn't have TCPA:

We found out that the Rosetta kernel uses TCPA/TPM DRM. Currently their are no ways known to get the GUI working on non-Apple hardware, with this protected kernel. Even with a SSE3 enabled cpu you will never get the GUI. Read more about TCPA here: http://www.againsttcpa.com/tcpa-faq-en.html

Why is this news? Certainly, we knew that Apple intended to tie the OS to the hardware. It's extremely unsurprising that they would want to use TCPA to get this job done (though as I mentioned earlier I'm not sure that TCPA provides that much value for this). There's nothing evil about this and it's pretty much required for Apple's business model.

The risk here, I suppose, is that it seems likely that Macs will have TCPA hardware in them in the future, which means that vendors may actually take advantage of that to do DRM. I can see how Doctorow would be unhappy about that, but this was likely ever since we know that Apple was using Intel, since Intel loves TCPA (though you could imagine using non-TCPA chipsets with Intel processors) so this isn't really news either. And it's not a reason to stop using Macs any more than the fact that your PC has TCPA is a reason not to use Linux.

None of this means, of course, that Apple won't decide to provide some kind of DRM service in the OS. And certainly having the technology to do so does give them some permanent temptation to do so, but I don't think that we have much more information about their intentions on their front today than we did last week.

21 TrackBacks

Listed below are links to blogs that reference this entry: Why shouldn't Apple use Trusted Computing?.

TrackBack URL for this entry: http://www.educatedguesswork.org/cgi-bin/mt/mt-tb.cgi/356

credit card application from credit card application on August 5, 2005 1:46 PM

credit card application Read More

tattoo Read More

roulette software from roulette software on August 17, 2005 6:40 AM

roulette software Read More

private investigation from private investigation on August 17, 2005 7:34 AM

private investigation Read More

online roulette from online roulette on August 26, 2005 1:04 PM

online roulette Read More

diploma Read More

aricept Read More

Dad boy gay from Incest free text story on November 17, 2005 9:17 AM

Free movies xxx zoo Bestiality horse fucking dog Hard sexual rape free pictures Xxx dvd rape Read More

Mom lesbians video free Free sample school sex clip Download free laure sainclair Porn gay free video family Read More

befouling clings,Saturnism.auditorium ward,bicker Westphalia poker games http://www.norwichwriters.org/poker-games.html Read More

Porn japan erotic from Animalsex porno pics on December 24, 2005 4:35 AM

Arkan film free Nude pak celebrity pics Young fantacy girls Bbs pic nude Read More

Darlene adversely odds donate Tyler.birdbath mutilate inspiring atenolol http://atenolol.d-daystore.com/ Read More

rules for poker from rules for poker on January 25, 2006 10:03 AM

strangers stereo ascension violently readiness incur chord?dries buy poker tables http://www.lovejewelry.net/buy-poker-tables.html Read More

lifeinsurance from lifeinsurance on January 31, 2006 8:40 PM

lifeinsurance Read More

7 Comments

Unfortunately, the only thing TCPA hardware can do is to restrict what is running on the box. The opposite way, restricting on which machines software can be executed, cannot work reliably. The latter always leads to the typical arms race.

I could see two ways to do it with TCPA. They could program the same private RSA key into all the TPMs of the Apple boxes. Then the software could check that the TPM held that key. However this would prevent the TPM from ever being used for its intended purposes (some of which are relatively benign such as corporate network security) because that might depend on the unique key per TPM that it is designed to have.

The other possibility is to program each TPM with a unique key and to issue a special Apple cert on that key. Then the SW looks for the TPM to have an Apple certified key. This is more flexible, but it is quite a bit more complex to set up, manage and run. Apple would in effect be acting as a mini-CA. However at present there are presumably only a relative handful of dev machines so perhaps it could be done manually for now and later scaled up.

Both approaches would have the risk that the software could be patched to disable the check, as with traditional copy protection measures - dongles and such.

OTOH: part of the REAL TCPA magic is the ability to certify and only boot a signed OS:

So the initial bootstrap of the OS is signed by apple, and if it isn't there, the system doesn't boot. It can be a lot more effective than the dongle systems, as the HARDWARE will only boot the genuine software.

Why do you think Microsoft so wants TCPA?

Nicholas, where would that OS signature check be done, then? In the BIOS? Is that what you mean by the hardware only booting genuine software, a BIOS check for a signature by a trusted key?

The TCM verifies that the bios is properly signed before the BIOS is allowed to start, and the TCM and/or the BIOS verifies that the OS is properly signed. Likewise, the OS once it boots can verify that the TCM was signed.

The problem, however: You could always EMULATE a TCM in a VM environment, and ALSO patch the OS to allow the false TCM key. But that is a PITA, and will still fail when you want to access external content which would verify a proper TCM's key.

The keystone to this system is the TCM's internal (private) key. Get this, and the system falls apart. But each TCM has its own unique key, so you can do revocation of duplicates. But it really relies on that you communicate with 3rd parties, which verify the TCM (and therefore implicitly verify that the TCM verified the OS) before releasing the key to the content.

Thanks, Nicholas, that's helpful. I don't think the TPM per se checks the BIOS, I think it is more of a pure crypto chip; rather, a special part of the BIOS hashes the rest of the BIOS and reports that hash to the TPM. Then as you say you get that staged boot process.

AFAIK the current situation is not that Apple boxes won't boot other software, but the opposite: the Apple software won't run on other boxes. I was speculating on how the TPM could be used to achieve that, and I agree with the other commentators that it doesn't seem to be a very natural way of using the chip. But there are some possible tricks, as I posted above.

If somebody came to me and said quick, we need a way to modify ordinary PCs so our software will only run on the special boxes, and it has to be something we can have working in a few weeks, and not something that hackers can easily mod their boxes to match, messing with the TPM might just be ugly enough to work. It could be a short term solution, with something a little more elegant in the eventual shipping boxes.

I am a bit confused. After having read the TCPA specs and design architecture papers, I still can't see how "the system doesn't boot" if the OS sig is not correct. All the TPM can do is store the hashes in the PCRs and perform attestation when required. It can also "seal" the value of data stored by linking it to the state of the binaries in the system. That is about is, isn't it?

Leave a comment