Difference between revisions of "Embedded Security Subsystem"
(→Embedded Security Subsystem 2.0: let) |
(added category) |
||
(33 intermediate revisions by 11 users not shown) | |||
Line 4: | Line 4: | ||
<div style="margin: 0; margin-right:10px; border: 1px solid #dfdfdf; padding: 0em 1em 1em 1em; background-color:#F8F8FF; align:right;"> | <div style="margin: 0; margin-right:10px; border: 1px solid #dfdfdf; padding: 0em 1em 1em 1em; background-color:#F8F8FF; align:right;"> | ||
=== The Embedded Security Subsystem === | === The Embedded Security Subsystem === | ||
− | The Embedded Security Subsystem is a chip on the ThinkPad's mainboard that can take care of certain security related tasks conforming to the TCPA standard. It was first introduced among the T23 models and is now under the name "Embedded Security Subsystem 2.0". It is an integral part of most of the modern ThinkPads. The functions of the chip | + | The Embedded Security Subsystem is a chip on the ThinkPad's mainboard that can take care of certain security related tasks conforming to the TCPA standard. It was first introduced among the T23 models and is now under the name "Embedded Security Subsystem 2.0". It is an integral part of most of the modern ThinkPads. The functions of the chip fall into three main groups: |
* Public key functions | * Public key functions | ||
* Trusted boot functions | * Trusted boot functions | ||
Line 12: | Line 12: | ||
|} | |} | ||
− | {{NOTE| | + | {{NOTE|Current ThinkPads have the TPM chip integrated into the SuperIO chip, or integrated into the chipset. Don't let the picture fool you...}} |
− | |||
− | |||
− | |||
− | |||
==Trusted or Treacherous?== | ==Trusted or Treacherous?== | ||
+ | In addition to benefits (such as in-hardware storage of cryptographic keys) TCG standards have some drawbacks. | ||
− | |||
As ThinkPads of recent generations following the ThinkPad {{T23}} ([[Embedded Security Subsystem#Models featuring this Technology|see the complete list of models]]) are equipped with this disputed TCG-/TCPA-Technology, it can be interesting, which promises of the TCG are fulfilled inside your ThinkPad and which parts of the TCG-specifications still seem to be a privacy issue for every user of digital devices like a MP3-player or a ThinkPad - so please read [[TCPA/TCG - Trusted or Treacherous|this article]] for more details. | As ThinkPads of recent generations following the ThinkPad {{T23}} ([[Embedded Security Subsystem#Models featuring this Technology|see the complete list of models]]) are equipped with this disputed TCG-/TCPA-Technology, it can be interesting, which promises of the TCG are fulfilled inside your ThinkPad and which parts of the TCG-specifications still seem to be a privacy issue for every user of digital devices like a MP3-player or a ThinkPad - so please read [[TCPA/TCG - Trusted or Treacherous|this article]] for more details. | ||
==Linux Support== | ==Linux Support== | ||
− | + | There are three main drivers that support most of the ThinkPads | |
− | + | * tpm_atmel - for those ThinkPads with older Atmel 97SC3201 chips | |
− | + | * tpm_nsc - for the ThinkPad T43/P and R52 | |
− | + | * tpm_tis - for recent ThinkPads with TPM 1.2 | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | tpm_nsc | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | / | + | In addition you will need some something like [http://sourceforge.net/projects/trousers TrouSerS], which your distribution may have packaged as '''tpm-tools'''. |
==Versions & Features== | ==Versions & Features== | ||
Line 81: | Line 52: | ||
*TCG compliant | *TCG compliant | ||
− | National Semiconductor | + | ThinkPads with Atmel chips are supported by the tpm_atmel kernel module. The few ThinkPads with National Semiconductor chips (T43/p and R52) are supported by the tpm_nsc kernel module. |
+ | |||
+ | === Trusted Computing Group TPM 1.2 === | ||
+ | Since the *60 series Thinkpads all new models have had TCG TPM 1.2 compliant chips. During the *60 series this was part of an ATMEL chip, in later ThinkPads this is actually part of the Intel chipset itself. | ||
− | + | Regardless if it is part of the Atmel chip or the Intel chipset, these TPM 1.2 devices are supported by the tpm_tis kernel module | |
==Clearing/Reseting the Embedded Security Subsystem== | ==Clearing/Reseting the Embedded Security Subsystem== | ||
Line 128: | Line 102: | ||
The PCRs start zeroed at TPM reset. As things load (BIOS, bootloader, OS, userspace), they are supposed to verify if the PCRs are at a state they can trust, and if so, to add the checksum of their own code, data, and configuration to the PCRs and load the next stage. Alternatively, they can skip the PCR test and just extend it if they don't care that they are running in an untrusted state. | The PCRs start zeroed at TPM reset. As things load (BIOS, bootloader, OS, userspace), they are supposed to verify if the PCRs are at a state they can trust, and if so, to add the checksum of their own code, data, and configuration to the PCRs and load the next stage. Alternatively, they can skip the PCR test and just extend it if they don't care that they are running in an untrusted state. | ||
− | PCRs | + | PCRs cannot be set to a given value. The TPM only allows one to "extend" a PCR, which is an operation where the result is a SHA-1 hash that depends on the previous value of the PCR and on the data you give the TPM to extend the PCR with. It is non-trivial to get the PCR to a desired value based only on its previous contents and the desired target value. |
It is obviously a total nightmare to update the system in a trusted platform scenario, as the contents of the PCRs starting from the update point will change. A changed PCR immediately makes any data that was sealed based on its old value impossible to access. This is one of the reasons why nobody is doing remote trusted platform assurance, except in very controlled scenarios right now. New versions of the specifications around the trusted platform support specifications (like TPM 1.2) are trying to address this problem. | It is obviously a total nightmare to update the system in a trusted platform scenario, as the contents of the PCRs starting from the update point will change. A changed PCR immediately makes any data that was sealed based on its old value impossible to access. This is one of the reasons why nobody is doing remote trusted platform assurance, except in very controlled scenarios right now. New versions of the specifications around the trusted platform support specifications (like TPM 1.2) are trying to address this problem. | ||
Line 140: | Line 114: | ||
=== ThinkPad BIOS TPM basics === | === ThinkPad BIOS TPM basics === | ||
− | *The BIOS can be used to reset the TPM using physical presence (see above); | + | The TCG TCPA specification also defines PC BIOS behaviour and extensions to deal with the TPM chip and Trusted Platform requirements. The ThinkPad BIOS is compliant to the TCG PC Client specification v1.1 (and, in new ThinkPads, maybe v1.2). |
+ | |||
+ | This means that: | ||
+ | *The BIOS can be used to reset the TPM using physical presence (see above for the reset procedure); | ||
*Physical presence is only available to the BIOS (unless you hack the BIOS or the hardware, obviously); | *Physical presence is only available to the BIOS (unless you hack the BIOS or the hardware, obviously); | ||
*The BIOS can be configured to log or not (which also means calculate PCRs) the checksum of some of the platform data. If you don't want the ESCD or NVRAM contents to interfere in PCR calculations, you need to disable their logging in the BIOS for example; | *The BIOS can be configured to log or not (which also means calculate PCRs) the checksum of some of the platform data. If you don't want the ESCD or NVRAM contents to interfere in PCR calculations, you need to disable their logging in the BIOS for example; | ||
*The BIOS touches PCRs 0 to 7, but leaves PCRs 8 to 15 alone (zeroed); | *The BIOS touches PCRs 0 to 7, but leaves PCRs 8 to 15 alone (zeroed); | ||
− | *You can disable the TPM chip in the BIOS, and not worry about someone using it behind your back. But they will be able to know that there is a TPM in the system, unless you remove all the kernel TPM support, including tpm_bios; | + | *You can disable the TPM chip in the BIOS, and not worry about someone using it behind your back. But they will be able to know that there is a TPM in the system (the chip can still be found, and will report its version, manufacturer, and disabled state), unless you remove all the kernel TPM support, including tpm_bios; |
*The BIOS might use the TPM, so watch out for trouble if you have HDD passwords enabled, etc; | *The BIOS might use the TPM, so watch out for trouble if you have HDD passwords enabled, etc; | ||
Line 151: | Line 128: | ||
{| width="100%" {{prettytable}} | {| width="100%" {{prettytable}} | ||
| style="background:#ffdead;" width="10%" | '''PCR #''' | | style="background:#ffdead;" width="10%" | '''PCR #''' | ||
− | | style="background:#ffdead;" | '''Description''' | + | | style="background:#ffdead;" | '''Description (TCG PC client spec v1.1)''' |
| style="background:#ffdead;" | '''Notes''' | | style="background:#ffdead;" | '''Notes''' | ||
|- | |- | ||
Line 159: | Line 136: | ||
|- | |- | ||
| 0 | | 0 | ||
− | | | + | | CRTM, BIOS, and platform extensions |
| The BIOS logs many BIOS POST PCR extensions, probably hardware and firmware-related | | The BIOS logs many BIOS POST PCR extensions, probably hardware and firmware-related | ||
|- | |- | ||
| 1 | | 1 | ||
− | | | + | | Platform configuration: |
*BIOS ROM strings (BIOS version and checksum) | *BIOS ROM strings (BIOS version and checksum) | ||
*NVRAM (Asset tag data) | *NVRAM (Asset tag data) | ||
Line 175: | Line 152: | ||
|- | |- | ||
| 2 | | 2 | ||
− | | Option | + | | Option ROM code |
| Can be used to detect the addition/subtraction/upgrade of Option ROMs (extra BIOS code from third parties) | | Can be used to detect the addition/subtraction/upgrade of Option ROMs (extra BIOS code from third parties) | ||
|- | |- | ||
| 3 | | 3 | ||
− | | | + | | Option ROM configuration and data |
| Not modified except for the event separator on my current T43 config | | Not modified except for the event separator on my current T43 config | ||
|- | |- | ||
| 4 | | 4 | ||
− | | | + | | IPL Code (system bootstrap) |
* BIOS password used to authorize booting (if any) | * BIOS password used to authorize booting (if any) | ||
* Boot device used | * Boot device used | ||
− | * MBR/boot sector checksum | + | * MBR/boot sector checksum (LILO, Grub stage 1, etc) |
| | | | ||
* The password hash itself of the BIOS user or supervisor password is used to extend this PCR | * The password hash itself of the BIOS user or supervisor password is used to extend this PCR | ||
Line 194: | Line 171: | ||
|- | |- | ||
| 5 | | 5 | ||
− | | | + | | IPL Code configuration and data |
− | | | + | | This PCR is reserved for the boot loader to extend with its configuration and whatever else it loads |
− | * | + | *trusted-grub extends it with stage 1.5 and stage 2 checksums, grub.conf checksum, and kernel and initrd checksum |
− | *Not modified except for the event separator | + | *Not modified by the BIOS itself, except for the event separator |
|- | |- | ||
| 6 | | 6 | ||
− | | | + | | State transitions and wake events |
− | | Logs a WAKE EVENT 0 hash on power up and simple reset (same event) | + | | Logs a WAKE EVENT 0 hash on power up and simple reset (same event) |
|- | |- | ||
| 7 | | 7 | ||
− | | | + | | Reserved |
− | | Not modified except for the event separator | + | | Not modified except for the event separator. Reserved by the TCG for future use. |
− | |||
− | |||
− | |||
− | |||
|- | |- | ||
| 8-15 | | 8-15 | ||
Line 246: | Line 219: | ||
*ThinkPad {{A30p}} | *ThinkPad {{A30p}} | ||
*ThinkPad {{R31}} | *ThinkPad {{R31}} | ||
− | *ThinkPad {{T23}}, {{T30 | + | *ThinkPad {{T23}}, {{T30}} |
*ThinkPad {{X22}}, {{X23}}, {{X24}} | *ThinkPad {{X22}}, {{X23}}, {{X24}} | ||
===IBM Embedded Security Subsystem 2.0=== | ===IBM Embedded Security Subsystem 2.0=== | ||
− | *ThinkPad {{R32}}, {{R40}}, {{R50}}, {{R50p}} | + | '''unknown chip''' |
− | *ThinkPad {{T40}}, {{T40p}}, {{T41}}, {{T41p}}, {{T42}}, {{T42p | + | *ThinkPad {{R32}}, {{R40}}, {{R50}}, {{R50p}} |
− | *ThinkPad | + | *ThinkPad {{X30}} |
+ | |||
+ | '''Atmel 97SC3201''' | ||
+ | *ThinkPad {{R51}} | ||
+ | *ThinkPad {{T40}}, {{T40p}}, {{T41}}, {{T41p}}, {{T42}}, {{T42p}} | ||
+ | *ThinkPad {{X31}}, {{X32}}, {{X40}}, {{X41}}, {{X41 Tablet}} | ||
*ThinkPad {{Z60m}}, {{Z60t}} | *ThinkPad {{Z60m}}, {{Z60t}} | ||
− | |||
− | == | + | '''[[NS PC8394T]]''' |
− | + | *ThinkPad {{R52}} | |
− | * | + | *ThinkPad {{T43}}, {{T43p}} |
− | *ThinkPad | + | |
− | *ThinkPad | + | ===TCG TPM 1.2=== |
− | *ThinkPad | + | '''Atmel 97SC3203''' |
− | *ThinkPad | + | *ThinkPad {{R60}}, {{R61}}, {{R61i}} |
− | *ThinkPad | + | *ThinkPad {{T60}}, {{T60p}}, {{T61}}, {{T61p}} |
− | + | *ThinkPad {{X60}}, {{X60s}}, {{X60 Tablet}}, {{X61}}, {{X61s}}, {{X61 Tablet}}, {{X300}} | |
+ | *ThinkPad {{Z61m}}, {{Z61t}}, {{Z61p}} | ||
+ | |||
+ | '''Integrated in chipset''' | ||
+ | *ThinkPad {{L412}}, {{L512}} | ||
+ | *ThinkPad {{R400}}, {{R500}} | ||
+ | *ThinkPad {{T400}}, {{T400s}}, {{T410}}, {{T410i}}, {{T410s}}, {{T410si}}, {{T500}}, {{T510}}, {{T510i}} | ||
+ | *ThinkPad {{W500}}, {{W510}}, {{W700}}, {{W700ds}}, {{W701}}, {{W701ds}} | ||
+ | *ThinkPad {{X200}}, {{X200s}}, {{X200 Tablet}}, {{X201}}, {{X201i}}, {{X201s}}, {{X201 Tablet}}, {{X301}} | ||
+ | |||
+ | [[Category:Glossary]] | ||
+ | [[Category:Trusted Computing]] | ||
+ | [[Category:ThinkPad Technologies]] | ||
==External Sources== | ==External Sources== | ||
*[http://www.pc.ibm.com/us/think/thinkvantagetech/security.html IBMs ThinkVantage<sup>TM</sup> Technologies Embedded Security Subsystem page] | *[http://www.pc.ibm.com/us/think/thinkvantagetech/security.html IBMs ThinkVantage<sup>TM</sup> Technologies Embedded Security Subsystem page] | ||
*[http://www.pc.ibm.com/presentations/us/thinkvantage/56/index.html?shortcut=ess& IBMs ThinkVantage<sup>TM</sup> Technologies Flash presentation - Embedded Security Subsystem] | *[http://www.pc.ibm.com/presentations/us/thinkvantage/56/index.html?shortcut=ess& IBMs ThinkVantage<sup>TM</sup> Technologies Flash presentation - Embedded Security Subsystem] | ||
+ | *[https://www.trustedcomputinggroup.org/specs/PCClient/ TCG PC Client specifications] | ||
*[http://www.research.ibm.com/gsal/tcpa/ IBM Research TCPA resources page] | *[http://www.research.ibm.com/gsal/tcpa/ IBM Research TCPA resources page] | ||
− | *[http://www. | + | *[http://sourceforge.net/projects/trustedgrub/ Trusted Grub] |
+ | *[https://www.grounation.org/index.php?post/2008/07/04/8-how-to-use-a-tpm-with-linux User-friendly HOWTO on using TPM under Linux] - Warning: This domain is currenly parked and hosting a linkfarm. (Jul 6, 2016) |
Latest revision as of 16:03, 22 January 2021
The Embedded Security SubsystemThe Embedded Security Subsystem is a chip on the ThinkPad's mainboard that can take care of certain security related tasks conforming to the TCPA standard. It was first introduced among the T23 models and is now under the name "Embedded Security Subsystem 2.0". It is an integral part of most of the modern ThinkPads. The functions of the chip fall into three main groups:
|
Trusted or Treacherous?
In addition to benefits (such as in-hardware storage of cryptographic keys) TCG standards have some drawbacks.
As ThinkPads of recent generations following the ThinkPad T23 (see the complete list of models) are equipped with this disputed TCG-/TCPA-Technology, it can be interesting, which promises of the TCG are fulfilled inside your ThinkPad and which parts of the TCG-specifications still seem to be a privacy issue for every user of digital devices like a MP3-player or a ThinkPad - so please read this article for more details.
Linux Support
There are three main drivers that support most of the ThinkPads
- tpm_atmel - for those ThinkPads with older Atmel 97SC3201 chips
- tpm_nsc - for the ThinkPad T43/P and R52
- tpm_tis - for recent ThinkPads with TPM 1.2
In addition you will need some something like TrouSerS, which your distribution may have packaged as tpm-tools.
Versions & Features
Embedded Security Chip
IBM introduced it's TCPA/TCG features with some of the T23 models. The earlier of them didn't yet have the Embedded Security Subsystem, but a kind of pre 1.0 version called the Embedded Security Chip. This chip had the following capabilities:
- Data communications authentication and encryption
- Storage of encrypted passwords
Embedded Security Subsystem (1.0)
The original Embedded Security Subsystem (in IBM documents there is no use of the additive version-number 1.0) claims to be compliant with TCG specs, but apparently did not fully implement any specific TCG spec.
The Embedded Security Subsystem has the following features:
- hardware key storage
- multi-factor authentication
- local file encryption
- enhances VPN security
Embedded Security Subsystem 2.0
The Embedded Security Subsystem 2.0 conforms to the TCG TPM 1.1b specification, with a TPM manufactured by either Atmel or National Semiconductor, and TCG TPM PC client 1.1 BIOS extensions.
The Embedded Security Subsystem 2.0 has the following features:
- hardware key storage
- multi-factor authentication
- local file encryption
- enhances VPN security
- TCG compliant
ThinkPads with Atmel chips are supported by the tpm_atmel kernel module. The few ThinkPads with National Semiconductor chips (T43/p and R52) are supported by the tpm_nsc kernel module.
Trusted Computing Group TPM 1.2
Since the *60 series Thinkpads all new models have had TCG TPM 1.2 compliant chips. During the *60 series this was part of an ATMEL chip, in later ThinkPads this is actually part of the Intel chipset itself.
Regardless if it is part of the Atmel chip or the Intel chipset, these TPM 1.2 devices are supported by the tpm_tis kernel module
Clearing/Reseting the Embedded Security Subsystem
If there is a need to reset and clear the TPM chip, the IBM BIOS has a "Clear Security Chip" option that will work (as long as you did not issue one of the very few "permanently lock the TPM chip in a certain state for life" commands, so Do Not Do That!).
That option is not readily accessible. To unhide it and reset the TPM chip, you have to:
Method 1
- Power down the ThinkPad;
- Power up the ThinkPad, with the Fn key pressed (or CTRL in a ThinkCenter);
- When the BIOS screen shows up, release the Fn key;
- Press the required key to enter the BIOS configuration;
- Enter BIOS supervisor password if required;
- Go to the security menu, security chip submenu, and clear the TPM chip.
Method 2
- Power down the ThinkPad;
- Power up the ThinkPad;
- Press the ThinkVantage/Access IBM button while the BIOS is still booting;
- Type in the supervisor password if the BIOS asks for it;
- Press ESC a number of times, which will cause the BIOS to switch to maintenance mode and display a number of text screens;
- Power down the ThinkPad as soon as it hits the boot loader of the Operating System (it doesn't matter which O.S.);
- Power on the ThinkPad;
- Enter the BIOS configuration screen (may require supervisor password);
- Go to the security menu, security chip submenu, and clear the TPM chip.
Using the Embedded Security Subsystem
TPM 1.1b basics
The TPM chip is a "secure" brokerer of data signatures and keys, as well as a slow but very good hardware RNG. It has some registers called PCRs that are used for trusted platform attestation. It can sign data using 2048-bit RSA keys. It is slow. It is not easy to use, either :-)
The current version of the TPM chips found on ThinkPads (TPM 1.1b) isn't secure at all against moderately sophisticated physical attacks, and it is also useless for DRM and other Treacherous Platform corporate ideas.
A Trusted Platform in a context involving a TPM means that the PCRs contains values that they are expected to, because the TPM will allow data that is "sealed" (as opposed to "bound") to it to be accessed ("unsealed") only when the PCRs match the PCRs at sealing time. The interesting magic is, therefore, in the process of updating the contents of the PCRs.
The PCRs start zeroed at TPM reset. As things load (BIOS, bootloader, OS, userspace), they are supposed to verify if the PCRs are at a state they can trust, and if so, to add the checksum of their own code, data, and configuration to the PCRs and load the next stage. Alternatively, they can skip the PCR test and just extend it if they don't care that they are running in an untrusted state.
PCRs cannot be set to a given value. The TPM only allows one to "extend" a PCR, which is an operation where the result is a SHA-1 hash that depends on the previous value of the PCR and on the data you give the TPM to extend the PCR with. It is non-trivial to get the PCR to a desired value based only on its previous contents and the desired target value.
It is obviously a total nightmare to update the system in a trusted platform scenario, as the contents of the PCRs starting from the update point will change. A changed PCR immediately makes any data that was sealed based on its old value impossible to access. This is one of the reasons why nobody is doing remote trusted platform assurance, except in very controlled scenarios right now. New versions of the specifications around the trusted platform support specifications (like TPM 1.2) are trying to address this problem.
Trusted Platform assurance with a TPM 1.1b isn't easy to do, but it is possible (and it is not in any way unbreakable!, but it is a lot better than nothing for many uses).
The ThinkPad BIOS measures the boot loader and stores the relevant data on PCR registers and the TPCA log, so if one adds a trusted boot loader to the system (like trusted-grub), one can load a trusted operating system and from there, trusted userspace applications, etc.
Note that LPC-bus tricks using modchips to trap and modify the data flow to the TPM chip can effectively bust the Trusted Platform assurance completely on any ThinkPads up to the T61/R61/X61. To avoid that, a TPM inside the northbridge is needed. Intel plans to add a TPM 1.2 to their chipsets in 2008, so it is likely that the T62/X62/R62 TPMs won't be as vulnerable to hardware hacks.
ThinkPad BIOS TPM basics
The TCG TCPA specification also defines PC BIOS behaviour and extensions to deal with the TPM chip and Trusted Platform requirements. The ThinkPad BIOS is compliant to the TCG PC Client specification v1.1 (and, in new ThinkPads, maybe v1.2).
This means that:
- The BIOS can be used to reset the TPM using physical presence (see above for the reset procedure);
- Physical presence is only available to the BIOS (unless you hack the BIOS or the hardware, obviously);
- The BIOS can be configured to log or not (which also means calculate PCRs) the checksum of some of the platform data. If you don't want the ESCD or NVRAM contents to interfere in PCR calculations, you need to disable their logging in the BIOS for example;
- The BIOS touches PCRs 0 to 7, but leaves PCRs 8 to 15 alone (zeroed);
- You can disable the TPM chip in the BIOS, and not worry about someone using it behind your back. But they will be able to know that there is a TPM in the system (the chip can still be found, and will report its version, manufacturer, and disabled state), unless you remove all the kernel TPM support, including tpm_bios;
- The BIOS might use the TPM, so watch out for trouble if you have HDD passwords enabled, etc;
PCR registers extended by the BIOS
PCR # | Description (TCG PC client spec v1.1) | Notes |
T43 26xx BIOS 1.29 | ||
---|---|---|
0 | CRTM, BIOS, and platform extensions | The BIOS logs many BIOS POST PCR extensions, probably hardware and firmware-related |
1 | Platform configuration:
|
|
2 | Option ROM code | Can be used to detect the addition/subtraction/upgrade of Option ROMs (extra BIOS code from third parties) |
3 | Option ROM configuration and data | Not modified except for the event separator on my current T43 config |
4 | IPL Code (system bootstrap)
|
|
5 | IPL Code configuration and data | This PCR is reserved for the boot loader to extend with its configuration and whatever else it loads
|
6 | State transitions and wake events | Logs a WAKE EVENT 0 hash on power up and simple reset (same event) |
7 | Reserved | Not modified except for the event separator. Reserved by the TCG for future use. |
8-15 | User PCRs |
|
Using the TPM in Windows
Just install the full IBM Security solution, and let it use the TPM. What good it will do to increase the security of your data is unknown.
Using the TPM in Linux
This section is very incomplete, but here are some pointers to get you started:
- Compile a 2.6.23 or later kernel with the driver for the tpm chip in your ThinkPad model enabled;
- You need to enable CONFIG_SECURITY to get securityfs, and CONFIG_KEYS to use eCryptfs TPM support;
- You need to enable tpm_bios to access the TCPA log;
- Make sure to mount the securityfs filesystem on /sys/kernel/security to access tpm_bios data (the TCPA log);
- You should use dm-crypt to have an encrypted swap partition with an ephemeral key;
- The TCPA log can be found in the securityfs directory, and it might help you understand how the BIOS and boot loaders are using the PCRs. The first number for each event in the log is the number PCR register that was extended by that event;
- You need an up-to-date version of the TrouSerS software stack to use the TPM for anything other than reading the TPCA log;
- You need an up-to-date eCryptfs userspace (with TPM support compiled in) to use the TPM to store filesystem keys;
- Using the TPM as a PKCS11 token is possible, but I have no idea how safe it is, since that requires a null (well-known) SRK;
- trusted-grub can be used to play with the PCRs before Linux loads, and to checksum the Linux kernel and extend a PCR with that data;
- The PCRs can be read through sysfs, under the /sys/bus/platform/devices/tpm*/pcrs file for the TPM driver for your TPM chip;
- TrouSerS 0.3.1 tpm_getpubek seems not to work too well, it gets the PUBEK attributes wrong from the NSC TPM chip in a T43 (but the key data itself is correct). Compare to sys/bus/platform/devices/tpm*/pubek to check yours.
Models featuring this Technology
IBM Embedded Security Chip
- ThinkPad T23
IBM Embedded Security Subsystem
IBM Embedded Security Subsystem 2.0
unknown chip
Atmel 97SC3201
- ThinkPad R51
- ThinkPad T40, T40p, T41, T41p, T42, T42p
- ThinkPad X31, X32, X40, X41, X41 Tablet
- ThinkPad Z60m, Z60t
TCG TPM 1.2
Atmel 97SC3203
- ThinkPad R60, R61, R61i
- ThinkPad T60, T60p, T61, T61p
- ThinkPad X60, X60s, X60 Tablet, X61, X61s, X61 Tablet, X300
- ThinkPad Z61m, Z61t, Z61p
Integrated in chipset
- ThinkPad L412, L512
- ThinkPad R400, R500
- ThinkPad T400, T400s, T410, T410i, T410s, T410si, T500, T510, T510i
- ThinkPad W500, W510, W700, W700ds, W701, W701ds
- ThinkPad X200, X200s, X200 Tablet, X201, X201i, X201s, X201 Tablet, X301
External Sources
- IBMs ThinkVantageTM Technologies Embedded Security Subsystem page
- IBMs ThinkVantageTM Technologies Flash presentation - Embedded Security Subsystem
- TCG PC Client specifications
- IBM Research TCPA resources page
- Trusted Grub
- User-friendly HOWTO on using TPM under Linux - Warning: This domain is currenly parked and hosting a linkfarm. (Jul 6, 2016)
- T23
- A30p
- R31
- T30
- X22
- X23
- X24
- R32
- R40
- R50
- R50p
- X30
- R51
- T40
- T40p
- T41
- T41p
- T42
- T42p
- X31
- X32
- X40
- X41
- X41 Tablet
- Z60m
- Z60t
- R52
- T43
- T43p
- R60
- R61
- R61i
- T60
- T60p
- T61
- T61p
- X60
- X60s
- X60 Tablet
- X61
- X61s
- X61 Tablet
- X300
- Z61m
- Z61t
- Z61p
- L412
- L512
- R400
- R500
- T400
- T400s
- T410
- T410i
- T410s
- T410si
- T500
- T510
- T510i
- W500
- W510
- W700
- W700ds
- W701
- W701ds
- X200
- X200s
- X200 Tablet
- X201
- X201i
- X201s
- X201 Tablet
- X301
- Glossary
- Trusted Computing
- ThinkPad Technologies