Dell to Add Security Chip to PCs

[Anonymous]

Eric Murray writes:
> The TCPA chip verifies the (signature on the) BIOS and the OS.
> So the software driver is the one that's trusted by the TCPA chip.

I don't believe this is correct.  The TPM does not verify any signatures.
It is fundamentally a passive chip.  Its only job is to store hashes
of software components that the BIOS, boot loader and OS report to it.
It can then report those hashes in attestations, or perform crypto sealing
and unsealing operations in such a way that sealed data is locked to
those hashes, and can't be unsealed if the hashes are different.

and then asks:
> I have an application for exactly that behaviour.
> It's a secure appliance.  Users don't run
> code on it.  It needs to be able
> to verify that it's running the authorized OS and software
> and that new software is authorized.
> (it does it already, but a TCPA chip might do it better).
>
> So a question for the TCPA proponents (or opponents):
> how would I do that using TCPA?

You might want to look at enforcer.sourceforge.net for some ideas.
They created a Tripwire-like system which does a secure boot and compares
the software that is loaded with "approved" versions.  I don't remember
if they used signatures or hashes for the comparison but presumably
either one could be made to work.

Marcel Popescu's message was mostly content free (I love the way he
thinks its OK to lie as long as it's in English! - remind me never to
trust this guy) but he did ask one non-"rethorical" question:

> Name other five (out of the "most") laptop companies offering this chip in
> their laptops. (This is NOT rethorical, I'm really curious.)

IBM T43 and Thinkpads (over 16 million TPMs shipped as of last year).
HP/Compaq nc6000, nc8000, nw8000, nc4010 notebooks.
Toshiba Dynabook SS LX, Tecra M3 and Portege M205-S810.
Fujitsu Lifebook S7010 and LifeBook E8000 laptops; T4000 and ST5020 tablets.
Samsung X-Series.
NEC VersaPro/VersaProJ.
and now Dell Latitude D410, D610 and D810.