Eric Murray writes:
The TCPA chip verifies the (signature on the) BIOS and the OS. So the software driver is the one that's trusted by the TCPA chip.
I don't believe this is correct. The TPM does not verify any signatures. It is fundamentally a passive chip. Its only job is to store hashes of software components that the BIOS, boot loader and OS report to it. It can then report those hashes in attestations, or perform crypto sealing and unsealing operations in such a way that sealed data is locked to those hashes, and can't be unsealed if the hashes are different. and then asks:
I have an application for exactly that behaviour. It's a secure appliance. Users don't run code on it. It needs to be able to verify that it's running the authorized OS and software and that new software is authorized. (it does it already, but a TCPA chip might do it better).
So a question for the TCPA proponents (or opponents): how would I do that using TCPA?
You might want to look at enforcer.sourceforge.net for some ideas. They created a Tripwire-like system which does a secure boot and compares the software that is loaded with "approved" versions. I don't remember if they used signatures or hashes for the comparison but presumably either one could be made to work. Marcel Popescu's message was mostly content free (I love the way he thinks its OK to lie as long as it's in English! - remind me never to trust this guy) but he did ask one non-"rethorical" question:
Name other five (out of the "most") laptop companies offering this chip in their laptops. (This is NOT rethorical, I'm really curious.)
IBM T43 and Thinkpads (over 16 million TPMs shipped as of last year). HP/Compaq nc6000, nc8000, nw8000, nc4010 notebooks. Toshiba Dynabook SS LX, Tecra M3 and Portege M205-S810. Fujitsu Lifebook S7010 and LifeBook E8000 laptops; T4000 and ST5020 tablets. Samsung X-Series. NEC VersaPro/VersaProJ. and now Dell Latitude D410, D610 and D810.