Linked by Thom Holwerda on Wed 1st Nov 2006 21:56 UTC, submitted by PeteM
Apple Amith Singh writes about the Trusted Computing Module found in Intel Macs. "Regardless of what the media has been harping on for a long time, and regardless of what system attackers have been saying about the 'evil TPM protection' Apple uses, Apple is doing no TPM-related evil thing. In fact, Apple is doing no TPM-related cryptographic thing at all in Mac OS X. Yes, I know, there has been much talk of 'TPM keys' and such, but there are no TPM keys that Apple is hiding somewhere. More specifically, Apple simply does not use the TPM hardware. In Apple computer models that do contain a TPM, the hardware is available for use by the machine's owner. Of course, to use it you need a device driver, which Apple indeed doesn't provide."
Permalink for comment 178273
To read all comments associated with this story, please click here.
RE: conspiracy mode on...
by pcummins on Fri 3rd Nov 2006 08:41 UTC in reply to "conspiracy mode on..."
Member since:

maybe they are just waiting for the right time to start using it, like some kind of deep sleep agent?

From what I was reading about the Intel motherboards, the TPM module had to be disabled and ready for the user to start using (if ever). Basically it means they (OS manufacturers) can't use it as a default option out of the box for their own purposes. The only manufacturer that could probably pull it off is Apple, and if they just removed the TPM module it's unlikely they're seriously thinking about using it for various nefarious purposes (like DRM or binary encryption).

I'd imagine they'd provide software support for user level signing/encrypting, with an option to use the hardware TPM if it exists. If that picks up, I guess we could see more and more computers coming with TPM modules in the future instead of requiring external USB keys.

The only issue is that if you lose your computer or USB key, most TPM modules are designed to prevent private key extraction, so once that happens, you are seriously out of luck getting the private key loaded onto a new computer or USB key. I guess you could generate the keys external to the module, then load it up write/execute on the module only. You'd have to be pretty sure that the machine is clean for this to work however (malware could theoretically snarf the private key en route to the TPM module).

Additional edit: also, the use of TPM modules for private/public keys for signing and encryption only works well for private machines. Not quite as reliable with public access computers unless you can encrypt the private key, decrypt and load into the TPM module securely with a per-enterprise decryption key. Most TPM modules only have a limited number of slots for private/public keys, depending on how much flash RAM they have.

Edited 2006-11-03 08:45

Reply Parent Score: 1