Announcement

Collapse
No announcement yet.

Intel Open-Sources New TPM2 Software Stack

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • boxie
    replied
    Originally posted by ryszardzonk View Post
    There are those of us that want freedom and believe people are smart enough do decide what is best for them and there are those that believe others mainly government and institutions always know better than the people. THat being said trusting corporations to decide what is threat and what is not is always road to fascism (or as Mussolini named it corporationism) and sooner or later people end up with no choice.
    I think you went from philosophical to tinfoil hat pretty quickly there. The user experience should be "It just works, gets out of my way and keeps me safe". As always, you can choose to use those features or disable them.

    We already rely on our governments (local, state, federal) to provide high levels of all sorts of services (Safety regulations, justice, law enforcement, education, transportation etc etc). Government is not inherently evil. It pays to keep this in mind. If your country is on the brink of falling into fascism and the only thing holding it back is a passionate discussion about TPM modules then I think there might be some other things that are wrong and should be fixed first!

    There are also a multitude of scientific studies that should that people do not always behave in their own best interest. A prime example being windows UAC.

    So, while a closed Secure Enclave is a good thing, an open one is better. It simply allows more people to verify and to assert their trust over the given architecture.

    Originally posted by ryszardzonk View Post
    Ideas are always great. Communism in its core also has great ideas.
    So as long as I will have interface which would allow me to set what I believe is trustworthy and only defaults are set by corpo than it should be fine for everybody. Otherwise we should never allow it.
    Choosing what to trust is your imperative and I agree we should be free to use these modules or not.

    As for communism - it suffers from the same problems as capitalism and anarchy - those who are in power will abuse it if they are allowed to.

    Leave a comment:


  • Slithery
    replied
    Originally posted by Intel Open-Sources New TPM2 Software Stack
    ...and is designed to work with any TPM2 hardware implementation...
    Does anyone know if there are any other hardware providers? You could then choose to trust someone other than Intel.

    Leave a comment:


  • boxie
    replied
    Originally posted by sandy8925 View Post

    The problem is that the TPM hardware chip contains closed-source firmware, and is essentially a mini-computer. We don't know what it can access and what it's doing. All we know is that we can securely store and retrieve keys - but no way of knowing if it's actually secure, and whether or not there are backdoors.
    I 100% agree with you. It can however increase the difficulty of an attack against the computer (if it is used).

    The RISC-V secure enclave stuff recently reported on should be a nice extra.

    Leave a comment:


  • ryszardzonk
    replied
    Originally posted by boxie View Post
    trusting a user to do the right thing all the time is a very dangerous road.
    There are those of us that want freedom and believe people are smart enough do decide what is best for them and there are those that believe others mainly government and institutions always know better than the people. THat being said trusting corporations to decide what is threat and what is not is always road to fascism (or as Mussolini named it corporationism) and sooner or later people end up with no choice.

    Originally posted by boxie View Post
    As for this trust system (and any other) it seems that it increases the difficulty for an attacker - which is the goal.
    Ideas are always great. Communism in its core also has great ideas.
    So as long as I will have interface which would allow me to set what I believe is trustworthy and only defaults are set by corpo than it should be fine for everybody. Otherwise we should never allow it.

    Leave a comment:


  • sandy8925
    replied
    Originally posted by boxie View Post

    I though you were against FUD? this is all that video is selling. and as for the "only the user really knows what to trust" argument that is being put forward in that video - trusting a user to do the right thing all the time is a very dangerous road.

    As for this trust system (and any other) it seems that it increases the difficulty for an attacker - which is the goal.
    The problem is that the TPM hardware chip contains closed-source firmware, and is essentially a mini-computer. We don't know what it can access and what it's doing. All we know is that we can securely store and retrieve keys - but no way of knowing if it's actually secure, and whether or not there are backdoors.

    Leave a comment:


  • boxie
    replied
    Originally posted by uid313 View Post
    I though you were against FUD? this is all that video is selling. and as for the "only the user really knows what to trust" argument that is being put forward in that video - trusting a user to do the right thing all the time is a very dangerous road.

    As for this trust system (and any other) it seems that it increases the difficulty for an attacker - which is the goal.

    Leave a comment:


  • audir8
    replied
    Originally posted by stikonas View Post

    Trusted by intel obviously. There is no way to avoid trusting them unless you design and manufacture your own hardware.
    Most cheaper laptops/motherboards/desktop come without TPM, and you'll just have to enter an extra password at startup to secure the HD through luks or bitlocker.

    It's important to not confuse TPM which is a separate chip with Intel ME/AMD PSP. TPMs are a convenience, and optional. They are necessary if you don't want to enter a password at startup but still boot from an encrypted drive, like for a server. You're trusting a TPM module about as much as you would trust a Yubi key.

    Leave a comment:


  • microcode
    replied
    Originally posted by tildearrow View Post
    I feel like asking. When they say "trusted", do they mean "trusted by Intel", or " trusted by the user"? Because if it's the former, then it is a misnomer...
    There is a difference between "trusted" and "trustworthy". In this context, "trusted" really just means "high-risk", and implies that a certain standard of rigor goes into ensuring that it's worthy of somebody's trust.

    Leave a comment:


  • nh2_
    replied
    Originally posted by dwagner View Post
    "Used for full disk encryption" only by people who earnestly believe that their few-cents-TPM chip could encrypt/decrypt data at the I/O rate of modern NVMe storage. Less misguided people know that the CPU will need to know the symmetric encryption key basically all the time while the system is running, so it isn't any safer when it is also stored in the TPM.
    I think the idea is that the TPM stores they keys for full-disk encryption, and hands them to the CPU only if trusted software is running.

    Examples:

    https://github.com/shpedoikal/tpm-luks
    https://github.com/fox-it/linux-luks-tpm-boot

    Leave a comment:


  • dwagner
    replied
    "Used for full disk encryption" only by people who earnestly believe that their few-cents-TPM chip could encrypt/decrypt data at the I/O rate of modern NVMe storage. Less misguided people know that the CPU will need to know the symmetric encryption key basically all the time while the system is running, so it isn't any safer when it is also stored in the TPM.
    Ah, and then of course there are those who leave it to the manufacturer of their storage device to implement encryption, which, while technically of course possible, is a gamble on abilities and diligence of storage manufacturers one should seriously not get into.

    Leave a comment:

Working...
X