Difference between revisions of "Embedded Security Subsystem"

From ThinkWiki
Jump to: navigation, search
(How to reset the TPM chip)
(Clearing/Reseting the Embedded Security Subsystem: add another (easier) method to clear the TPM chip)
Line 89: Line 89:
 
That option is not readily accessible. To unhide it and reset the TPM chip, you have to:
 
That option is not readily accessible. To unhide it and reset the TPM chip, you have to:
  
#Turn off the ThinkPad;
+
=== Method 1 ===
#Turn on the ThinkPad;
+
#Power down the ThinkPad;
 +
#Power up the ThinkPad, with the Fn key pressed (or CTRL in a ThinkCenter);
 +
#When the BIOS screen shows up, release the Fn key;
 +
#Press the required key to enter the BIOS configuration;
 +
#Enter BIOS supervisor password if required;
 +
#Go to the security menu, security chip submenu, and clear the TPM chip.
 +
 
 +
=== Method 2 ===
 +
 
 +
#Power down the ThinkPad;
 +
#Power up the ThinkPad;
 
#Press the ThinkVantage/Access IBM button while the BIOS is still booting;
 
#Press the ThinkVantage/Access IBM button while the BIOS is still booting;
#Type in the supervisor (maybe user will work as well) password if it is asked;
+
#Type in the supervisor password if the BIOS asks for it;
 
#Press ESC a number of times, which will cause the BIOS to switch to maintenance mode and display a number of text screens;
 
#Press ESC a number of times, which will cause the BIOS to switch to maintenance mode and display a number of text screens;
#Turn off the ThinkPad as soon as it hits the boot loader of the Operating System (it doesn't matter which O.S.);
+
#Power down the ThinkPad as soon as it hits the boot loader of the Operating System (it doesn't matter which O.S.);
#Turn on the ThinkPad;
+
#Power on the ThinkPad;
 
#Enter the BIOS configuration screen (may require supervisor password);
 
#Enter the BIOS configuration screen (may require supervisor password);
#Go to the security menu, and clear the TPM chip.
+
#Go to the security menu, security chip submenu, and clear the TPM chip.
 
 
{{NOTE|Reseting/warm booting the ThinkPad doesn't work for this procedure.  Turn it '''off''' for real, cold boots are needed for the procedure to work.}}
 
  
 
{{HINT|A password-locked HDD can be made useful again by using a low-level utility capable of issuing the SECURE-ERASE command to it.  You will lose all data, but at least the HDD will be usable again, as that also unlocks the HDD.  If you are stupid and careless enough to clear the TPM chip while there is an active HDD password after so many warnings, you might find yourself in need of this hint, so here it is...}}
 
{{HINT|A password-locked HDD can be made useful again by using a low-level utility capable of issuing the SECURE-ERASE command to it.  You will lose all data, but at least the HDD will be usable again, as that also unlocks the HDD.  If you are stupid and careless enough to clear the TPM chip while there is an active HDD password after so many warnings, you might find yourself in need of this hint, so here it is...}}

Revision as of 15:26, 16 January 2008

IBM Embedded Security Subsystem

The Embedded Security Subsystem

The Embedded Security Subsystem is a chip on the ThinkPad's mainboard that can take care of certain security related tasks conforming to the TCPA standard. It was first introduced among the T23 models and is now under the name "Embedded Security Subsystem 2.0". It is an integral part of most of the modern ThinkPads. The functions of the chip are fall into three main groups:

  • Public key functions
  • Trusted boot functions
  • Initialization and management functions
The purpose of the Embedded Security Subsystem is to keep the user's sensitive data out of range from software based attacks (like viruses, Internet attacks etc.). One way the chip offers to achieve this is by providing storage for keys along with the necessary functions to handle them within itself, so that a for example a private key never has to leave the chip (can't be seen by any piece of software). Besides this, there are more complex topics covered by the functionality of the chip. If you want to find out more about it you can find good documents on the IBM Research TCPA resources page.
NOTE!
Some ThinkPads have the TPM chip integrated into the SuperIO chip, or soldered to the planar card/mainboard. Don't let the picture fool you...
ATTENTION!
There's a bug in the latest release of the security chip software. You end up facing a security chip login, and you press Ctrl-alt-delete, and it just sits there. Do not download the latest patch (Dated 13/06/2006 v 7.00.0017.00)

Actually, they appear to have removed that patch.

Ring IBM support (in Australia 131426, 1, 2) and they'll talk you through doing a system restore.

Trusted or Treacherous?

TC - Trusted Computing - will be the biggest change of the information landscape since decades. Besides positive features like a more secure hardware storage for cryptographic keys, an analysis of the proposed TCG-standards shows some problematic properties.
As ThinkPads of recent generations following the ThinkPad T23 (see the complete list of models) are equipped with this disputed TCG-/TCPA-Technology, it can be interesting, which promises of the TCG are fulfilled inside your ThinkPad and which parts of the TCG-specifications still seem to be a privacy issue for every user of digital devices like a MP3-player or a ThinkPad - so please read this article for more details.

Linux Support

Two linux drivers are available, a classical one and a newer one. Coverage of functionality of the first is unknown so far, the second is part of a bigger project aiming to provide a usable security framework.

David Stafford (one of the developers of the tpm code at IBM) on March 10, 2005 sent me the most recent version of the tpm-kml code. With his permission, I quote his email:

"I am attaching our latest driver and library. This version is in the process of kernel mailing list review, and will hopefully be accepted into the official kernel. It works much better across various 2.6 kernels. Note that this builds three modules tpm, tpm_atmel, and tpm_nsc. You modprobe the tpm_atmel (for all current shipping atmel based systems), or tpm_nsc (for the coming national based systems).

Also note that there is a conflict with the snd-intel8x0 kernel module (they each try to grab the LPC bus). You can either: load the tpm modules first (such as in initrd or rc.sysinit, before sound), or recompile the snd-intel8x0, turning off the MIDI and JOYSTICK support. The latest 2.6.11 version of snd-intel8x0 also reportedly fixes things."

Compiling this library was easy. Compiling the driver on my 2.6.8-686 (debian testing) laptop failed. But the library works with the driver I compiled from the tpm-2.0 package IBM made available on its pages (see the links below).

Gijs

The T43 requires a patch posted to the LKML by Kylene Jo Hall: LKML posting. An updated patch for linux 2.6.12 is available here.

The atmel driver comes with 2.6.12.


Now suported in 2.6.15.1 (and maybe others kernels under this number) in:

/device drivers/caracter devices/tpm devices

Versions & Features

Embedded Security Chip

IBM introduced it's TCPA/TCG features with some of the T23 models. The earlier of them didn't yet have the Embedded Security Subsystem, but a kind of pre 1.0 version called the Embedded Security Chip. This chip had the following capabilities:

  • Data communications authentication and encryption
  • Storage of encrypted passwords

Embedded Security Subsystem (1.0)

The original Embedded Security Subsystem (in IBM documents there is no use of the additive version-number 1.0) claims to be compliant with TCG specs, but apparently did not fully implement any specific TCG spec.

The Embedded Security Subsystem has the following features:

  • hardware key storage
  • multi-factor authentication
  • local file encryption
  • enhances VPN security

Embedded Security Subsystem 2.0

The Embedded Security Subsystem 2.0 conforms to the TCG TPM 1.1b specification, with a TPM manufactured by either Atmel or National Semiconductor.

The Embedded Security Subsystem 2.0 has the following features:

  • hardware key storage
  • multi-factor authentication
  • local file encryption
  • enhances VPN security
  • TCG compliant

Clearing/Reseting the Embedded Security Subsystem

ATTENTION!
Be sure that there are no active HDD passwords, and that you have uninstalled any IBM/Lenovo security software that might want information stored or encrypted with the help of the TPM chip before you clear the chip. Any data that is encrypted using information inside the TPM chip will be useless after you clear the TPM chip.

If there is a need to reset and clear the TPM chip, the IBM BIOS has a "Clear Security Chip" option that will work (as long as you did not issue one of the very few "permanently lock the TPM chip in a certain state for life" commands, so Do Not Do That!).

That option is not readily accessible. To unhide it and reset the TPM chip, you have to:

Method 1

  1. Power down the ThinkPad;
  2. Power up the ThinkPad, with the Fn key pressed (or CTRL in a ThinkCenter);
  3. When the BIOS screen shows up, release the Fn key;
  4. Press the required key to enter the BIOS configuration;
  5. Enter BIOS supervisor password if required;
  6. Go to the security menu, security chip submenu, and clear the TPM chip.

Method 2

  1. Power down the ThinkPad;
  2. Power up the ThinkPad;
  3. Press the ThinkVantage/Access IBM button while the BIOS is still booting;
  4. Type in the supervisor password if the BIOS asks for it;
  5. Press ESC a number of times, which will cause the BIOS to switch to maintenance mode and display a number of text screens;
  6. Power down the ThinkPad as soon as it hits the boot loader of the Operating System (it doesn't matter which O.S.);
  7. Power on the ThinkPad;
  8. Enter the BIOS configuration screen (may require supervisor password);
  9. Go to the security menu, security chip submenu, and clear the TPM chip.
Hint:
A password-locked HDD can be made useful again by using a low-level utility capable of issuing the SECURE-ERASE command to it. You will lose all data, but at least the HDD will be usable again, as that also unlocks the HDD. If you are stupid and careless enough to clear the TPM chip while there is an active HDD password after so many warnings, you might find yourself in need of this hint, so here it is...

Models featuring this Technology

IBM Embedded Security Chip

IBM Embedded Security Subsystem

IBM Embedded Security Subsystem 2.0

TCPA/TCG clean models

External Sources