[Fwd: Re: sad treacherous computing day]
simo.sorce at xsec.it
Thu May 10 13:43:38 UTC 2007
On Thu, 2007-05-10 at 14:33 +0100, Alex Hudson wrote:
> Simo - just to be clear, if we're talking specifically about the TC in
> Thinkpads, it might be theoretically possible to use them in such a
> scenario, but the way they come out of the factory it would be very
> difficult. There is no root certificate or chain of trust that you could
> turn no, nor no private key that Microsoft (or whoever) could use to
> sign a kernel that would be the only one allowed to boot. They basically
> come as empty containers.
> Of course, you could maybe ship a custom bios that uses the TPM chip in
> the Thinkpad to store keys that do check the boot software, but if
> you're doing that you don't actually need the TPM chip - you can do
> basically the same thing in the BIOS (witness the problems using non-IBM
> wifi cards in Thinkpads).
> And you're right, the proposed Palladium system is not what is in
> Thinkpads - different chip, different idea, and I don't for one second
> support that kind of scenario.
> I think people should be less concerned about supposed problems with TPM
> chips and more concerned with stuff like UEFI which actually does
> threaten users' control over their machines, e.g.:
> Unlike Palladium, you can actually buy hardware with this stuff in (for
> example, Macs).
I agree with you on every single word,
More information about the Discussion