[linux-elitists] defanging TCPA?

Seth David Schoen schoen@loyalty.org
Fri Feb 7 20:42:09 PST 2003


Martin Pool writes:

> On  7 Feb 2003, Seth David Schoen <schoen@loyalty.org> wrote:
> 
> > I don't think Felten's observation eliminates the possibility of
> > making devices which do _both_.
> > 
> > See "One way to think about trusted computing" at
> > 
> > http://vitanuova.loyalty.org/2002-11-06.html
> 
> That's a really good article, but I don't think it rebuts Felten's
> statement.

That's right.  I don't disagree with what he said; I just object to
some superstitions which seem to have accreted around it.

> To continue with your gedankendesign, it seems like it would be
> necessary for the media player to have its own sound and video output:
> if they were sent back to the computer they might be recorded.  And
> the designers would be very leery of any firmware upgrade mechanism
> for the player, in case it was used to subvert it.  The situation is
> similar to a computer-controlled VCR or laserdisc player.

That's right.  In fact, the Palladium design does have its own video
output (effectively) -- a sort of ability to superimpose windows on
top of the plain old PC framebuffer contents.

> This kind of thing, perhaps literally with a firewire attachment,
> seems to me to be far more technically viable than DRM done in a
> general-purpose PC.  I don't know if the content available this way
> would be sufficiently attractive to encourage people to buy the extra
> hardware.
> 
> I think Felten's statement still holds because you have a system of
> two communicating devices, rather than a single device.  If you try to
> remove the firewalls between them then you get into the difficult
> middle ground.   
> 
> Felten's rule points out why this is such a good design: we leave a
> gap in the middle where the difficult part is.

Right.

> >  you can build a Turing machine and put it in a box with some other
> >  kind of machine, and it's still a Turing machine.
> 
> Yes, but if the other machine is not under the control of the first
> part, then it is not really in any sense part of a Turing machine,
> aside from a shallow physical one.

Right.

For certain security applications and certain DRM applications, it
might be very useful to have a non-Turing machine device connected to
a Turing machine.  In fact, you connect an external device to a Turing
machine every time you use any peripheral.  (I'm pretending that a
computer's actually a Turing machine.)

Functionally, the current crop of trusted computing designs is close
to this, even though the physical implementation is more tightly
integrated than you might expect.  (Both programs subject to user
control and programs not subject to user control run on the same CPU
and in the same memory, which suggests that trivial physical attacks
are possible, which is immediately confirmed by all the systems'
designers.)

_If_ the physical isolation were improved, you would see more
resistance to physical attacks.

-- 
Seth David Schoen <schoen@loyalty.org> | Reading is a right, not a feature!
     http://www.loyalty.org/~schoen/   |                 -- Kathryn Myronuk
     http://vitanuova.loyalty.org/     |



More information about the linux-elitists mailing list