In association with heise online

Linux and TPM

The most recent GNU General Public License (GPLv3) specifically states that GPLv3 licensed software is forbidden from running on platforms which require a private signing key, unless the key is freely available to the computer owner; this specifically excludes hardware that uses a TPM. This has been suggested as one of the reasons why, at present, the Linux kernel is sticking with GPLv2.

The Linux kernel added support for Intel's TPM hardware in version 2.6.12 (Microsoft provide TPM support in Windows Vista and in Windows Server 2008) and libraries are available for constructing TPM tools: the TrouSerS library is available as an Ubuntu package (TrouSerS is an implementation of the Trusted Computing Group's Software Stack). Notable among Linux distributions, Novell have added TPM support and management tools to SUSE Linux Enterprise Server, their commercial Linux offering.

Since its proposal there have been a number of versions of TPM as implemented by different chip manufacturers including Atmel, STM, Infineon, Intel; not all of them have been compatible. By versions 1.2 and later manufacturers seem to have reached a consensus.

You can check a Linux machine for its level of TPM support with the following command line –

ls -la /lib/modules/$(uname -r)/kernel/drivers/char/tpm

Under the aegis of the European Commission, a number of industry and academic organisations including AMD, HP, IBM, SUSE, The University of Cambridge, the Technische Universitat Dresden and others have formed the OpenTC Consortium. The consortium is dedicated to the development of trusted and secure computing systems based on open source software. The goal of OpenTC is to protect against system-related threats, errors and malfunctions.

Xen, the open source virtualisation project, started work on incorporating TPM support into Xen as long ago as 2005 and the current version Xen 3.3.1 has support for TPM hardware. The project website describes Xen as follows "With Xen virtualisation, a thin software layer known as the Xen hypervisor is inserted between the server's hardware and the operating system. This provides an abstraction layer that allows each physical server to run one or more 'virtual servers', effectively decoupling the operating system and its applications from the underlying physical server."

One of the problems with virtualisation is the difficulty in verifying the security of multiple virtual machines and of guest operating systems. XEN support of TPM makes it possible to validate that the hypervisor and guest operating systems have not been tampered with.

There is a version of the GRUB boot loader called TrustedGRUB which has been modified to detect and support TPM. This allows the TPM to be used to validate, at boot-up, that operating systems have not been tampered with. GRUB is commonly used as the boot loader for Linux systems.

TPM represents a bit of a conundrum; both security and open source are desirable requirements and while TPM provides a high level of security by generating private keys, those keys are known to no-one, including the owner of the PC that is fitted with the TPM. Given that unknown keys provide the highest level of security, this is actually desirable even though it seems to break the rules of strict open source. What really upsets the open source hard core is the ability to inject manufacturers' back door keys into the TPM ROM.

See also:

Print Version | Permalink:
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit