On Wed, 2011-06-29 at 13:48 +0200, Björn Persson wrote: > Miloslav Trmač wrote: > > First, the TPM (nor the CPU) really can't tell the difference between > > the owner of the computer and an author of a virus. > > A jumper on the motherboard, or some other kind of physical circuit breaker, > can do that. It would have been possible to design the TPM to accept a new > master key only when a certain circuit is closed. It would have been possible, but remember the purpose and history of Trusted Computing (of which this is a fundamental part) before it hit the commercial scene. Originally this was conceived as a way for government workers of various types to be able to use secure computing systems even *after* an unattended period. The whole concept is based on finding a way to circumvent the first law of information security: "If the attacker has physical access you don't have security." If a circumvention jumper were designed into the system this would defeat the purpose. Today we are having this discussion in the commercial and private space only because it is a technology the government already understands and would therefore feel confident in designing anti-circumvention legislation around to suit the needs of the pro-DRM folks. It has the added benefit that a red herring "security for everyone" argument can be made to support the concept of including DRM enablers into all digital devices in the commercial space. Of course, the TPM piece being an Intel-only standard and the software behind it being a black-box set of processes undercuts the non-DRM commercial hype at the root. This being naturally of benefit to Intel far more than it is of benefit to anyone interested in actually knowing what their system is up to (one phrase for that is "information security") is easy to overlook. The idea that government interest is still driving this is a bit shallow -- there are already functionally identical systems which have been fielded (and the customer in this case, who really is concerned with complete security, does not have the handicap of being made to trust any black-box processes at any level, anywhere) and I've already attempted to place this discussion in perspective elsewhere. In short, this is a step toward DRM of a sort nobody can quite fathom yet. Ultimately it will prove to be scary to the point that I seriously feel it will be dropped in the commercial space and media providers (and Microsoft) will simply have to evolve or get eaten by whoever else does first. -Iwao -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
