Jump to content

trusted computing chip on board mac intel dev kits

blackentangled
 Share
15 posts in this topic

Recommended Posts

alfgarnett
alfgarnett
Posted
Posted

One of the standard features of the TPM is the ability to put your own keys and secure hashes into it; that doesn't require a custom chip. All they need to do is to program it when they make the board. So yes in theory you could use a standard Intel motherboard, but you'd need to know the OS-X specific key and have the utilities to program it. The only key which all TPMs have by default is the unique identifier which is randomly generated in the first initialisation process. I don't believe it would make any sense for Apple to use this for locking the OS to the hardware or otherwise their installation DVDs would have to be specific to each computer... not practical!

 

One of the weakest points is that the decryption on the TPM is inherently slow slow slow; far too slow to decrypt large chunks of data. The net result of this is that I'd bet that the O/S is not scrambled using non-discoverable keys. More likely is that the TPM passes a decryption key to the CPU so it can decrypt anything that's needed; now there is some way of "sealing" they key using a simpler encryption method so it's not immedieately obvious what the key is through scoping the LPC bus. TPM is located on a low-speed (33MHz) 4-bit bus which should be very easy to look at, especially since they're not masking the chip with resin or anything tricky like that. I'm not sure how the sealing process works. Perhaps somebody else can work this out?

 

I do wonder how they're using it - perhaps they could just use the platform configuration registers to contain a valid hash of some part of the OS, then that is passed through the TPM which returns a valid/not valid answer? In which case surely it should be possible to just get a debugger in there somewhere and skip the branch command. If it is using the CPU to decrypt things, it will probably be using system RAM to store the key, so perhaps someone can just get a snoop RAM board in place of the standard DIMM, and look through that for the key?

 

I really don't think this will keep the OS secure for long to be honest. Get Bunnie (XBox hacker) on it or something and he'll have it sorted! :)

Link to comment
Share on other sites
gwyllion
gwyllion
Posted
Posted
One of the standard features of the TPM is the ability to put your own keys and secure hashes into it; that doesn't require a custom chip. All they need to do is to program it when they make the board. So yes in theory you could use a standard Intel motherboard, but you'd need to know the OS-X specific key and have the utilities to program it. The only key which all TPMs have by default is the unique identifier which is randomly generated in the first initialisation process. I don't believe it would make any sense for Apple to use this for locking the OS to the hardware or otherwise their installation DVDs would have to be specific to each computer... not practical!
Apple can not put keys into the TPM during/after manufacturing. You need to take Ownership of TPM, before you can do so; the Storage Root Key is only generated during TakeOwnership. So presumably some magic happens during installation?
One of the weakest points is that the decryption on the TPM is inherently slow slow slow; far too slow to decrypt large chunks of data.

This of course is a design choice. The TPM only has RSA and SHA-1, so no bulk encryption mechanism (AES).

The net result of this is that I'd bet that the O/S is not scrambled using non-discoverable keys. More likely is that the TPM passes a decryption key to the CPU so it can decrypt anything that's needed; now there is some way of "sealing" they key using a simpler encryption method so it's not immedieately obvious what the key is through scoping the LPC bus.

What are you refering to? TPM v1.2 standard has added Transport Protection (encryption and authorization). But I think they are using a v1.1 Infineon (same one as HP machines and Intel motherboards use).

TPM is located on a low-speed (33MHz) 4-bit bus which should be very easy to look at, especially since they're not masking the chip with resin or anything tricky like that. I'm not sure how the sealing process works. Perhaps somebody else can work this out?

We have put a logic analyzer on the LPC bus and you can indeed see everything passing on the bus. We plan on intercepting keys on the LPC bus from real applications. This was on IBM machine with Atmel TPM v1.1b, but we have an Intel motherboard with Infineon TPM (same as in Apple development machine) lying ready in our lab ;-)

I do wonder how they're using it - perhaps they could just use the platform configuration registers to contain a valid hash of some part of the OS, then that is passed through the TPM which returns a valid/not valid answer? In which case surely it should be possible to just get a debugger in there somewhere and skip the branch command. If it is using the CPU to decrypt things, it will probably be using system RAM to store the key, so perhaps someone can just get a snoop RAM board in place of the standard DIMM, and look through that for the key?

My collegue and I (both doing research on trusted computing) have no clue what Apple is using a TPM for. They have complete control over the platform. If they want to limit MacOS to Mactel machines, they should just put protection into the firmware...

I really don't think this will keep the OS secure for long to be honest. Get Bunnie (XBox hacker) on it or something and he'll have it sorted! :)
If the first Intel based Macs start shipping, we will buy one for sure to look at it :D
Link to comment
Share on other sites
alfgarnett
alfgarnett
Posted
Posted
Apple can not put keys into the TPM during/after manufacturing. You need to take Ownership of TPM, before you can do so; the Storage Root Key is only generated during TakeOwnership. So presumably some magic happens during installation?

 

Yes you're right you need to take ownership first, but I don't believe they'll have any problems writing a utitility that is run by the ODM that makes the boards to plug some data into there during their test process - harder would be to stop that utility from spreading outside of the factory! Anyway when the'yre in, if they are not allowed to come out, then they won't!

 

The standard utilities run under DOS at the moment and generates the Endorsement Key - only once, and this cannot be read. It is, however, used to generate other keys such as the SRK when the TPM's ready to take an owner.

 

This of course is a design choice. The TPM only has RSA and SHA-1, so no bulk encryption mechanism (AES).

 

I believe it had 3DES, but could be wrong? Perhaps it can just store DES keys that then the CPU can use.

 

What are you refering to? TPM v1.2 standard has added Transport Protection (encryption and authorization). But I think they are using a v1.1 Infineon (same one as HP machines and Intel motherboards use).

 

I'm only familiar with 1.1, but am not a hacker by any stretch of the imagination! I was suspecting they might add something along those lines to 1.2. I guess they could always encrypt the key with another key that cannot leave the TPM, although that would have to be stored in the software somewhere so the CPU could decrypt it at the other end, and if it's in the software it shouldn't be too hard to find!

 

Not too sure if TPM 1.2 devices are shipping yet.

 

We have put a logic analyzer on the LPC bus and you can indeed see everything passing on the bus. We plan on intercepting keys on the LPC bus from real applications. This was on IBM machine with Atmel TPM v1.1b, but we have an Intel motherboard with Infineon TPM (same as in Apple development machine) lying ready in our lab ;)

 

hehe great stuff! And remember even if they do go encrypted over LPC then they'll have to be decrypted in RAM or CPU registers in order to be used ;)

 

My collegue and I (both doing research on trusted computing) have no clue what Apple is using a TPM for. They have complete control over the platform. If they want to limit MacOS to Mactel machines, they should just put protection into the firmware...

 

Sounds interesting research!

 

I suspect they want to use it for a few things -

 

a) As a basic level of protection against people running OS X on their standard hardware so they can keep punting highly-priced shiny boxes. Which is fair enough; I suspect they'll be happy enough as long as the average user will find it so difficult that they won't bother, and will rely on legal protection against any company that dared to try to sell Mac clones.

 

:) All the iTunes DRM stuff (surprise surprise)

 

c) To support the Trusted Networking protocols.

 

Your firmware point is very good - I wonder what they'll do on this. What is the situation with the dev boards? Do they have standard BIOSes? The problem is that, at the end of the day, there is very little they can do to stop people flashing a BIOS from another board with identical components onto the board; or the other way around - to flash a Mactel board's BIOS onto a similar standard board. But this restricts you to that choice of components, or in other words no nice cheap AMD processors and chipsets :D

 

Anyway we'll see what happens!

Link to comment
Share on other sites
gwyllion
gwyllion
Posted
Posted
Yes you're right you need to take ownership first, but I don't believe they'll have any problems writing a utitility that is run by the ODM that makes the boards to plug some data into there during their test process - harder would be to stop that utility from spreading outside of the factory! Anyway when the'yre in, if they are not allowed to come out, then they won't!

 

The standard utilities run under DOS at the moment and generates the Endorsement Key - only once, and this cannot be read. It is, however, used to generate other keys such as the SRK when the TPM's ready to take an owner.

I doubt Apple can/will put keys into the TPM before their computers ship to customers, because I believe the TPM spec does not allow so as long as Ownership is not taken. I will check the spec to verify this...

 

And Macs don't come with the OS pre installed. You need to insert an installation CDROM the first time you power up a new Mac (this has always been the case; e.g., last time my father bought a iMac G5).

I suspect they want to use it for a few things -

 

a) As a basic level of protection against people running OS X on their standard hardware so they can keep punting highly-priced shiny boxes. Which is fair enough; I suspect they'll be happy enough as long as the average user will find it so difficult that they won't bother, and will rely on legal protection against any company that dared to try to sell Mac clones.

 

:) All the iTunes DRM stuff (surprise surprise)

 

c) To support the Trusted Networking protocols.

Steve Jobs indeed said that it is their goal to limit the installation of MacOS X strictly to Apple machines. They do not want to prohibit people from installing Linux or Windows on the future Macs. So a) is surely a goal for them. But we do not see how they can do this with a TPM.

 

I totally agree with c)

 

I really doubt :D is one of the reasons. Why would they do all the effort of making iTunes using a TPM? They still offer a Windows version of iTunes which can not rely on trusted computing. And a TPM is far from enough for a good DRM scheme: you need a secure audio path for this. Look at all the (freaky) stuff Longhorn has to add to please Hollywood: http://www.microsoft.com/whdc/device/strea...ut_protect.mspx

Your firmware point is very good - I wonder what they'll do on this. What is the situation with the dev boards? Do they have standard BIOSes? The problem is that, at the end of the day, there is very little they can do to stop people flashing a BIOS from another board with identical components onto the board; or the other way around - to flash a Mactel board's BIOS onto a similar standard board. But this restricts you to that choice of components, or in other words no nice cheap AMD processors and chipsets ;)
The development boards are said to use a standard BIOS, but people suggest that this does not need to be the case for the final machines. I guess they could use EFI (Extensible Firmware Interface). The TCG is currently making PC specific spec (v1.2) for EFI based machines (and conventional BIOS machines).
Link to comment
Share on other sites
halik
halik
Posted
Posted

wouldn't apple follow the startd way of attestation ?

I don't think rosetta instructions are actually encrypted just because a) tpm can't and is not designed to cipher a lot of data :) that's really awkward way of doing it.

 

The intel paper and the 1.1 spec actually describe the concept behind attestation, which is really the goal here (check the platform). Theres even an implementation of it on one IBM research website.

Link to comment
Share on other sites
gwyllion
gwyllion
Posted
Posted

I doubt attestation will happen any time soon. You need a whole PKI for this and no one is willing to set it up. Maybe TNC (Trusted Network Connect) will increase interest in attestation...

 

In theory, Apple could use remote attestation when you access the iTunes store or when you get Software Updates. Only genuine Apple machines can then get access to this data.

 

TrouSerS (IBM TCG Software Stack) does not currently support attestation, only protected storage.

 

 

Anyway, the TPM is (in my impression) not designed for the goal Apple has set (limiting installation of MacOS X to Macs).

Link to comment
Share on other sites
triadone
triadone
Posted
Posted
And Macs don't come with the OS pre installed. You need to insert an installation CDROM the first time you power up a new Mac (this has always been the case; e.g., last time my father bought a iMac G5).

 

lol, um, my iBook came just peachy w/ OS X installed. that'd be plain moronic from a company that's built it's name on how their equipment is supposed to "just work". there's not a person in any Mac forum, that i've seen, that's mentioned this in their user experience, and i'm a moderator at one of them. stick to the tech stuff u seem to be rocking at. :)

Link to comment
Share on other sites
gwyllion
gwyllion
Posted
Posted
I do wonder how they're using it - perhaps they could just use the platform configuration registers to contain a valid hash of some part of the OS, then that is passed through the TPM which returns a valid/not valid answer? In which case surely it should be possible to just get a debugger in there somewhere and skip the branch command. If it is using the CPU to decrypt things, it will probably be using system RAM to store the key, so perhaps someone can just get a snoop RAM board in place of the standard DIMM, and look through that for the key?

My collegue and I (both doing research on trusted computing) have no clue what Apple is using a TPM for. They have complete control over the platform. If they want to limit MacOS to Mactel machines, they should just put protection into the firmware...

So it is being confirmed by an anonymous, but reliable source, that Apple will not use a TPM in their final product.

The Open for Business source also cautioned against trying to predict too much about the future Intel-based Macs from the developer kits. “Because they are developer kits only, future functionality of boot protection that prevents OS X x86 from booting on compatible non-Apple hardware, graphical interface, and other underlying technologies are emulated and do not reflect a production environment.” The source emphasized that “they [are not] indicative of the future production release of Mac OS X for Intel.”

source: http://www.ofb.biz/modules.php?name=News&f...order=0&thold=0

 

As stated earlier, TPM is not designed for the goal Apple has. So expect other hardware and software changes (e.g. in boot firmware).

Link to comment
Share on other sites
 Share
Go to topic listing
×
×
  • Create New...