Re: Trusted computing [WAS new user question: debian on a Thinkpad T61]
David <davidpalmer@westnet.com.au> writes:
> Jimmy Wu wrote:
[...]
>> (2) Does Debian support TPM chips? What is the community's take on the issue?
>> My take is that TPM does have some security merits, but it also has a
>> lot of potential for abuse.
>> Google turned up these results of the beginnings of TPM support in Linux:
>> http://www.linuxelectrons.com/news/linux/15574/ibm-brings-trusted-computing-linux
>> http://lwn.net/Articles/144681/
>
> Never on my machine.
TPM is actually pretty interesting from a security perspective. It
has nothing to do with ID on the Internet, but instead uses a chain of
certificates to verify that the code you're booting is what's
configured in the TPM settings. If you get a boot sector virus, your
computer won't boot because it doesn't match what's expected. If your
box gets owned and the kernel hacked to hide the intruder, it will
stop booting because the kernel won't match what's expected. If your
applications are modified by an attacker, they won't run because they
aren't what's expected.
The big question that determines whether this is a giant security win
or a huge loss of control is who gets to configure TPM. If it's you,
great, you can decide what OS to trust, etc. But if it's the
manufacturer, then you've lost control over what you can boot, which
is awful. It doesn't seem clear to me yet which will be prevalent.
Also, it's not clear what this will do for reliability. Will minor,
correctable corruption become complete breakage? Time will tell, I
guess.
---Scott.
Reply to: