Difference between revisions of "Embedded Security Subsystem"
(→Linux Support: 2.6.15.1 tpm update) |
|||
Line 89: | Line 89: | ||
*ThinkPad {{X30}}, {{X31}}, {{X32}}, {{X40}}, {{X41}}, {{X41T}}, {{X60}}, {{X60s}} | *ThinkPad {{X30}}, {{X31}}, {{X32}}, {{X40}}, {{X41}}, {{X41T}}, {{X60}}, {{X60s}} | ||
*ThinkPad {{Z60m}}, {{Z60t}} | *ThinkPad {{Z60m}}, {{Z60t}} | ||
− | [[Category:Glossary]] | + | [[Category:Glossary]] [[Category:Trusted Computing]] |
==TCPA/TCG clean models== | ==TCPA/TCG clean models== |
Revision as of 18:23, 31 January 2006
The Embedded Security SubsystemThe Embedded Security Subsystem is nothing but a chip installed on the ThinkPads mainboard that can take care of certain security related tasks conforming to the TCPA standard. It was first introduced among the T23 models and is now under the name Embedded Security Subsystem 2.0 an integral part of most of the modern ThinkPads. The functions of the chip are bound to three main groups:
|
Trusted or Treacherous?
TC - Trusted Computing - will be the biggest change of the information landscape since decades. Besides positive features like a more secure hardware storage for cryptographic keys, an analysis of the proposed TCG-standards shows some problematic properties.
As ThinkPads of recent generations following the ThinkPad T23 (see the complete list of models) are equipped with this disputed TCG-/TCPA-Technology, it can be interesting, which promises of the TCG are fulfilled inside your ThinkPad and which parts of the TCG-specifications still seem to be a privacy issue for every user of digital devices like a MP3-player or a ThinkPad - so please read this article for more details.
Linux Support
Two linux drivers are available, a classical one and a newer one. Coverage of functionality of the first is unknown so far, the second is part of a bigger project aiming to provide a usable security framework.
David Stafford (one of the developers of the tpm code at IBM) on March 10, 2005 sent me the most recent version of the tpm-kml code. With his permission, I quote his email:
"I am attaching our latest driver and library. This version is in the process of kernel mailing list review, and will hopefully be accepted into the official kernel. It works much better across various 2.6 kernels. Note that this builds three modules tpm, tpm_atmel, and tpm_nsc. You modprobe the tpm_atmel (for all current shipping atmel based systems), or tpm_nsc (for the coming national based systems).
Also note that there is a conflict with the snd-intel8x0 kernel module (they each try to grab the LPC bus). You can either: load the tpm modules first (such as in initrd or rc.sysinit, before sound), or recompile the snd-intel8x0, turning off the MIDI and JOYSTICK support. The latest 2.6.11 version of snd-intel8x0 also reportedly fixes things."
Compiling this library was easy. Compiling the driver on my 2.6.8-686 (debian testing) laptop failed. But the library works with the driver I compiled from the tpm-2.0 package IBM made available on its pages (see the links below).
Gijs
The T43 requires a patch posted to the LKML by Kylene Jo Hall: LKML posting. An updated patch for linux 2.6.12 is available here.
The atmel driver comes with 2.6.12.
now suported in 2.6.15.1(and mabe others kernels under this number) in:
/device drivers/caracter devices/tpm devices
Versions & Features
Embedded Security Chip
IBM introduced it's TCPA/TCG features with some of the T23 models. The earlier of them didn't yet have the Embedded Security Subsystem, but a kind of pre 1.0 version called the Embedded Security Chip. This chip had the following capabilities:
- Data communications authentication and encryption
- Storage of encrypted passwords
Embedded Security Subsystem (1.0)
The original Embedded Security Subsystem (in IBM documents there is no use of the additive version-number 1.0) claims to be compliant with TCG specs, but apparently did not fully implement any specific TCG spec.
The Embedded Security Subsystem has the following features:
- hardware key storage
- multi-factor authentication
- local file encryption
- enhances VPN security
Embedded Security Subsystem 2.0
The Embedded Security Subsystem 2.0 conforms to the TCG TPM 1.1b specification, with a TPM manufactured by either Atmel or National Semiconductor.
The Embedded Security Subsystem 2.0 has the following features:
- hardware key storage
- multi-factor authentication
- local file encryption
- enhances VPN security
- TCG compliant
Models featuring this Technology
IBM Embedded Security Chip
- ThinkPad T23
IBM Embedded Security Subsystem
IBM Embedded Security Subsystem 2.0
- ThinkPad R32, R40, R50, R50p, R51, R52
- ThinkPad T40, T40p, T41, T41p, T42, T42p, T43, T43p
- ThinkPad X30, X31, X32, X40, X41, X41 Tablet, X60, X60s
- ThinkPad Z60m, Z60t
TCPA/TCG clean models
- all models produced before 2000
- all i Series models
- ThinkPad 240X
- ThinkPad A20m, A20p, A21e, A21m, A21p, A22e, A22m, A22p, A30
- ThinkPad T20, T21
- ThinkPad X20, X21, X22
- ThinkPad TransNote