Embedded Security Subsystem
The Embedded Security SubsystemThe Embedded Security Subsystem is a chip on the ThinkPad's mainboard that can take care of certain security related tasks conforming to the TCPA standard. It was first introduced among the T23 models and is now under the name "Embedded Security Subsystem 2.0". It is an integral part of most of the modern ThinkPads. The functions of the chip are fall into three main groups:
|
Actually, they appear to have removed that patch.
Trusted or Treacherous?
TC - Trusted Computing - will be the biggest change of the information landscape since decades. Besides positive features like a more secure hardware storage for cryptographic keys, an analysis of the proposed TCG-standards shows some problematic properties.
As ThinkPads of recent generations following the ThinkPad T23 (see the complete list of models) are equipped with this disputed TCG-/TCPA-Technology, it can be interesting, which promises of the TCG are fulfilled inside your ThinkPad and which parts of the TCG-specifications still seem to be a privacy issue for every user of digital devices like a MP3-player or a ThinkPad - so please read this article for more details.
Linux Support
Two linux drivers are available, a classical one and a newer one. Coverage of functionality of the first is unknown so far, the second is part of a bigger project aiming to provide a usable security framework.
David Stafford (one of the developers of the tpm code at IBM) on March 10, 2005 sent me the most recent version of the tpm-kml code. With his permission, I quote his email:
"I am attaching our latest driver and library. This version is in the process of kernel mailing list review, and will hopefully be accepted into the official kernel. It works much better across various 2.6 kernels. Note that this builds three modules tpm, tpm_atmel, and tpm_nsc. You modprobe the tpm_atmel (for all current shipping atmel based systems), or tpm_nsc (for the coming national based systems).
Also note that there is a conflict with the snd-intel8x0 kernel module (they each try to grab the LPC bus). You can either: load the tpm modules first (such as in initrd or rc.sysinit, before sound), or recompile the snd-intel8x0, turning off the MIDI and JOYSTICK support. The latest 2.6.11 version of snd-intel8x0 also reportedly fixes things."
Compiling this library was easy. Compiling the driver on my 2.6.8-686 (debian testing) laptop failed. But the library works with the driver I compiled from the tpm-2.0 package IBM made available on its pages (see the links below).
Gijs
The T43 requires a patch posted to the LKML by Kylene Jo Hall: LKML posting. An updated patch for linux 2.6.12 is available here.
The atmel driver comes with 2.6.12.
Now suported in 2.6.15.1 (and maybe others kernels under this number) in:
/device drivers/caracter devices/tpm devices
Versions & Features
Embedded Security Chip
IBM introduced it's TCPA/TCG features with some of the T23 models. The earlier of them didn't yet have the Embedded Security Subsystem, but a kind of pre 1.0 version called the Embedded Security Chip. This chip had the following capabilities:
- Data communications authentication and encryption
- Storage of encrypted passwords
Embedded Security Subsystem (1.0)
The original Embedded Security Subsystem (in IBM documents there is no use of the additive version-number 1.0) claims to be compliant with TCG specs, but apparently did not fully implement any specific TCG spec.
The Embedded Security Subsystem has the following features:
- hardware key storage
- multi-factor authentication
- local file encryption
- enhances VPN security
Embedded Security Subsystem 2.0
The Embedded Security Subsystem 2.0 conforms to the TCG TPM 1.1b specification, with a TPM manufactured by either Atmel or National Semiconductor, and TCG TPM PC client 1.1 BIOS extensions.
The Embedded Security Subsystem 2.0 has the following features:
- hardware key storage
- multi-factor authentication
- local file encryption
- enhances VPN security
- TCG compliant
National Semiconductor TPMs are likely part of the Winbond SuperIO chip (e.g. in a T43).
Clearing/Reseting the Embedded Security Subsystem
If there is a need to reset and clear the TPM chip, the IBM BIOS has a "Clear Security Chip" option that will work (as long as you did not issue one of the very few "permanently lock the TPM chip in a certain state for life" commands, so Do Not Do That!).
That option is not readily accessible. To unhide it and reset the TPM chip, you have to:
Method 1
- Power down the ThinkPad;
- Power up the ThinkPad, with the Fn key pressed (or CTRL in a ThinkCenter);
- When the BIOS screen shows up, release the Fn key;
- Press the required key to enter the BIOS configuration;
- Enter BIOS supervisor password if required;
- Go to the security menu, security chip submenu, and clear the TPM chip.
Method 2
- Power down the ThinkPad;
- Power up the ThinkPad;
- Press the ThinkVantage/Access IBM button while the BIOS is still booting;
- Type in the supervisor password if the BIOS asks for it;
- Press ESC a number of times, which will cause the BIOS to switch to maintenance mode and display a number of text screens;
- Power down the ThinkPad as soon as it hits the boot loader of the Operating System (it doesn't matter which O.S.);
- Power on the ThinkPad;
- Enter the BIOS configuration screen (may require supervisor password);
- Go to the security menu, security chip submenu, and clear the TPM chip.
Using the Embedded Security Subsystem
TPM 1.1b basics
The TPM chip is a "secure" brokerer of data signatures and keys, as well as a slow but very good hardware RNG. It has some registers called PCRs that are used for trusted platform attestation. It can sign data using 2048-bit RSA keys. It is slow. It is not easy to use, either :-)
The current version of the TPM chips found on ThinkPads (TPM 1.1b) isn't secure at all against moderately sophisticated physical attacks, and it is also useless for DRM and other Treacherous Platform corporate ideas.
A Trusted Platform in a context involving a TPM means that the PCRs contains values that they are expected to, because the TPM will allow data that is "sealed" (as opposed to "bound") to it to be accessed ("unsealed") only when the PCRs match the PCRs at sealing time. The interesting magic is, therefore, in the process of updating the contents of the PCRs.
The PCRs start zeroed at TPM reset. As things load (BIOS, bootloader, OS, userspace), they are supposed to verify if the PCRs are at a state they can trust, and if so, to add the checksum of their own code, data, and configuration to the PCRs and load the next stage. Alternatively, they can skip the PCR test and just extend it if they don't care that they are running in an untrusted state.
PCRs cannot be set to a given value. The TPM only allows one to "extend" a PCR, which is an operation where the result is a SHA-1 hash that depends on the previous value of the PCR and on the data you give the TPM to extend the PCR with. It is non-trivial to get the PCR to a desired value based only on its previous contents and the desired target value.
It is obviously a total nightmare to update the system in a trusted platform scenario, as the contents of the PCRs starting from the update point will change. A changed PCR immediately makes any data that was sealed based on its old value impossible to access. This is one of the reasons why nobody is doing remote trusted platform assurance, except in very controlled scenarios right now. New versions of the specifications around the trusted platform support specifications (like TPM 1.2) are trying to address this problem.
Trusted Platform assurance with a TPM 1.1b isn't easy to do, but it is possible (and it is not in any way unbreakable!, but it is a lot better than nothing for many uses).
The ThinkPad BIOS measures the boot loader and stores the relevant data on PCR registers and the TPCA log, so if one adds a trusted boot loader to the system (like trusted-grub), one can load a trusted operating system and from there, trusted userspace applications, etc.
Note that LPC-bus tricks using modchips to trap and modify the data flow to the TPM chip can effectively bust the Trusted Platform assurance completely on any ThinkPads up to the T61/R61/X61. To avoid that, a TPM inside the northbridge is needed. Intel plans to add a TPM 1.2 to their chipsets in 2008, so it is likely that the T62/X62/R62 TPMs won't be as vulnerable to hardware hacks.
ThinkPad BIOS TPM basics
The TCG TCPA specification also defines PC BIOS behaviour and extensions to deal with the TPM chip and Trusted Platform requirements. The ThinkPad BIOS is compliant to the TCG PC Client specification v1.1 (and, in new ThinkPads, maybe v1.2).
This means that:
- The BIOS can be used to reset the TPM using physical presence (see above for the reset procedure);
- Physical presence is only available to the BIOS (unless you hack the BIOS or the hardware, obviously);
- The BIOS can be configured to log or not (which also means calculate PCRs) the checksum of some of the platform data. If you don't want the ESCD or NVRAM contents to interfere in PCR calculations, you need to disable their logging in the BIOS for example;
- The BIOS touches PCRs 0 to 7, but leaves PCRs 8 to 15 alone (zeroed);
- You can disable the TPM chip in the BIOS, and not worry about someone using it behind your back. But they will be able to know that there is a TPM in the system (the chip can still be found, and will report its version, manufacturer, and disabled state), unless you remove all the kernel TPM support, including tpm_bios;
- The BIOS might use the TPM, so watch out for trouble if you have HDD passwords enabled, etc;
PCR registers extended by the BIOS
PCR # | Description (TCG PC client spec v1.1) | Notes |
T43 26xx BIOS 1.29 | ||
---|---|---|
0 | CRTM, BIOS, and platform extensions | The BIOS logs many BIOS POST PCR extensions, probably hardware and firmware-related |
1 | Platform configuration:
|
|
2 | Option ROM code | Can be used to detect the addition/subtraction/upgrade of Option ROMs (extra BIOS code from third parties) |
3 | Option ROM configuration and data | Not modified except for the event separator on my current T43 config |
4 | IPL Code (system bootstrap)
|
|
5 | IPL Code configuration and data | This PCR is reserved for the boot loader to extend with its configuration and whatever else it loads
|
6 | State transitions and wake events | Logs a WAKE EVENT 0 hash on power up and simple reset (same event) |
7 | Reserved | Not modified except for the event separator. Reserved by the TCG for future use. |
8-15 | User PCRs |
|
Using the TPM in Windows
Just install the full IBM Security solution, and let it use the TPM. What good it will do to increase the security of your data is unknown.
Using the TPM in Linux
This section is very incomplete, but here are some pointers to get you started:
- Compile a 2.6.23 or later kernel with the driver for the tpm chip in your ThinkPad model enabled;
- You need to enable CONFIG_SECURITY to get securityfs, and CONFIG_KEYS to use eCryptfs TPM support;
- You need to enable tpm_bios to access the TCPA log;
- Make sure to mount the securityfs filesystem on /sys/kernel/security to access tpm_bios data (the TCPA log);
- You should use dm-crypt to have an encrypted swap partition with an ephemeral key;
- The TCPA log can be found in the securityfs directory, and it might help you understand how the BIOS and boot loaders are using the PCRs. The first number for each event in the log is the number PCR register that was extended by that event;
- You need an up-to-date version of the TrouSerS software stack to use the TPM for anything other than reading the TPCA log;
- You need an up-to-date eCryptfs userspace (with TPM support compiled in) to use the TPM to store filesystem keys;
- Using the TPM as a PKCS11 token is possible, but I have no idea how safe it is, since that requires a null (well-known) SRK;
- trusted-grub can be used to play with the PCRs before Linux loads, and to checksum the Linux kernel and extend a PCR with that data;
- The PCRs can be read through sysfs, under the /sys/bus/platform/devices/tpm*/pcrs file for the TPM driver for your TPM chip;
- TrouSerS 0.3.1 tpm_getpubek seems not to work too well, it gets the PUBEK attributes wrong from the NSC TPM chip in a T43 (but the key data itself is correct). Compare to sys/bus/platform/devices/tpm*/pubek to check yours.
Models featuring this Technology
IBM Embedded Security Chip
- ThinkPad T23
IBM Embedded Security Subsystem
IBM Embedded Security Subsystem 2.0
- ThinkPad R32, R40, R50, R50p, R51, R51e, R52, R60, R61
- ThinkPad T40, T40p, T41, T41p, T42, T42p, T43, T43p, T60, T60p, T61, T61p
- ThinkPad X30, X31, X32, X40, X41, X41 Tablet, X60, X60s, X61s, X61 Tablet
- ThinkPad Z60m, Z60t
TCPA/TCG clean models
- all models produced before 2000
- all i Series models
- ThinkPad 240X
- ThinkPad A20m, A20p, A21e, A21m, A21p, A22e, A22m, A22p, A30
- ThinkPad R50e
- ThinkPad T20, T21, T22
- ThinkPad X20, X21, X22
- ThinkPad TransNote