Comments on: TPM hardware attacks

By: Nate Lawson

Nate Lawson — Sat, 19 Jan 2008 19:51:16 +0000

Henrique, right, that's the direction they're going per EagleLake (discussed in this thread). I disagree with your assessment of how hard it is to modify an integrated design, though. There have been some big advances in hobbyist silicon-level hacking, mostly by these guys. Since there is no deployed system for revoking TPM keys, opening just one chip suffices to enable attacks against the class.

By: Henrique

Henrique — Fri, 18 Jan 2008 01:27:30 +0000

Actually, it just means the TPM has to go inside the South or North bridge. Or inside the SoC for embedded designs. These are not yet available, AFAIK, but there is no real reason why they couldn’t be made. SuperIO chips with the TPM embedded inside are already common (my ThinkPad has one, for example) — too bad that doesn’t disable the reset attack, since it is non-fatal to the platform to reset the SuperIO.

Once you get the TPM inside the core chipset, getting access to the TPM hardware to mess with it without blowing it up all to hell becomes a lot more difficult…

By: Nate Lawson

Nate Lawson — Wed, 18 Jul 2007 20:58:41 +0000

Dries, does it actually say “should”? Because everyone knows when it comes to security, “should” means no one implements it. However, with functionality/features, “should” means the same as “mandatory”. :-)

In any case, it would require a pretty big change in chipsets to cause a LPC reset to reset the whole platform. At the moment, LPC reset is an output pin on all chipsets I know of, since the southbridge is mainly the one that drives this pin. If this was changed, then the attack would simply become cutting the trace before grounding the LPC reset pin, not a huge increase in difficulty.

By: Dries Schellekens

Dries Schellekens — Wed, 18 Jul 2007 08:48:29 +0000

The TPM reset has been known from the start by TCG. That is why the TCG specification says something like “resetting a TPM should reset the complete platform”.