Embedded Security Subsystem

The Embedded Security Subsystem The Embedded Security Subsystem is nothing but a chip installed on the Thinkpads mainboard that can take care of certain security related tasks conforming to the TCPA standard. It was first introduced among the T23 models and is now under the name Embedded Security Subsystem 2.0 an integral part of most of the modern Thinkpads. The functions of the chip are bound to three main groups: public key functions trusted boot functions initialization and management functions The purpose of the whole thing is to keep the users sensitive data out of range from software based attacks (like viruses, internet attacks etc.). One way the chip offers to achieve this is by providing storage for keys along with the neccessary functions to handle them within itself, so that a i.e. a private key never has to leave the chip (can't be seen by any piece of software). Besides this there are more complex topics covered by the functionality of the chip. If you want to find out more about it you can find good documents on the IBM Research TCPA resources page.

Trusted or Treacherous?

TC - Trusted Computing - will be the biggest change of the information landscape since decades. Besides positive features like a more secure hardware storage for cryptographic keys, an analysis of the proposed TCG-standards shows some problematic properties.
As Thinkpads of recent generations following the Thinkpad T23 (see the complete list of models) are equipped with this disputed TCG-/TCPA-Technology, it can be interesting, which promises of the TCG are fulfilled inside your ThinkPad and which parts of the TCG-specifications still seem to be a privacy issue for every user of digital devices like a MP3-player or a ThinkPad - so please read this article for more details.

==Lide

Versions & Features

Embedded Security Chip

IBM introduced it's TCPA/TCG features with some of the T23 models. The earlier of them didn't yet have the Embedded Security Subsystem, but a kind of pre 1.0 version called the Embedded Security Chip. This chip had the following capabilities:

• Data communications authentication and encryption
• Storage of encrypted passwords

Embedded Security Subsystem (1.0)

The original Embedded Security Subsystem (in IBM documents there is no use of the additive version-number 1.0) claims to be compliant with TCG specs, but apparently did not fully implement any specific TCG spec.

The Embedded Security Subsystem has the following features:

• hardware key storage
• multi-factor authentication
• local file encryption
• enhances VPN security

Embedded Security Subsystem 2.0

The Embedded Security Subsystem 2.0 conforms to the TCG TPM 1.1b specification, with a TPM manufactured by either Atmel or National Semiconductor.

The Embedded Security Subsystem 2.0 has the following features:

• hardware key storage
• multi-factor authentication
• local file encryption
• enhances VPN security
• TCG compliant

Models featuring this Technology

IBM Embedded Security Chip

• ThinkPad T23

IBM Embedded Security Subsystem

• ThinkPad A30p
• ThinkPad R31
• ThinkPad T23, T30
• ThinkPad X22, X23, X24

IBM Embedded Security Subsystem 2.0

• ThinkPad R32, R40, R50, R50p, R51, R52
• ThinkPad T40, T40p, T41, T41p, T42, T42p, T43, T43p
• ThinkPad X30, X31, X32, X40, X41, X41 Tablet
• ThinkPad Z60m, Z60t

TCPA/TCG clean models

• all models produced before 2000
• all i Series models
• ThinkPad 240X
• ThinkPad A20m, A20p, A21e, A21m, A21p, A22e, A22m, A22p, A30
• ThinkPad T20, T21
• ThinkPad X20, X21, X22
• ThinkPad TransNote

External Sources

• IBMs ThinkVantage^TM Technologies Embedded Security Subsystem page
• IBMs ThinkVantage^TM Technologies Flash presentation - Embedded Security Subsystem
• IBM Research TCPA resources page
• Trusted Grub