Taking Ownership of the Trusted Platform Module Chip on Intel Macs
by Jonathan Austin - Thursday, 27 June 2007.
I have been following the works of Trusted Computing Group (TCG) since their inception. The body, successor to the Trusted Computing Platform Alliance started by such giants as Hewlett-Packard, IBM, Intel and Microsoft, has a goal to develop vendor-neutral standard specifications for trusted computing. TCG is quite present on all the major information security conferences around the globe, so I had an opportunity to attend to some of their lectures and check out the actual trusted platforms (hardware devices with TPM chips) in test environments.

What is a TPM chip

The TPM is a microcontroller that stores keys, passwords and digital certificates. It's typically affixed to the motherboard of a PC. The nature of this silicon ensures that the information stored there is made more secure from external software attack and physical theft. Security processes, such as digital signature and key exchange, are protected through the secure TCG subsystem.

Access to data and secrets in a platform could be denied if the boot sequence is not as expected. Critical applications and capabilities such as secure email, secure web access and local protection of data are thereby made much more secure. TPM capabilities also can be integrated into other components in a system.

Apple and TPM

If you bought your Mac between May and October of 2006, you most probably have a TPM chip. The chip in question was Infineon TPM, module SLB 9635 TT 1. It looks like Apple had plans to use the trusted platform possibilities, but while the chip was present, Apple did not use it at all. Therefore, computers released after October 2006 do not contain an onboard Infineon TPM. As Trusted Computing Group is seeing an upscale adoption rate of their technology, TPM will most probably be back inside Apple hardware in the future.

Benefits for the users

Amit Singh, author of the "Mac OS X Internals: A Systems Approach" wrote a whole chapter about trusted computing for Mac OS X. Besides this, he released Mac driver and daemon that will be used later in this article.

While the TPM chip is not used by any of the Apple software products, that doesn't mean that developers cannot use it for the specific purposes of their applications. While it is not the best idea to target just the computers that have TPM chips, this "perfect" customizations can be used in some organizations for instance running just the TPM-enabled Macs. Singh notes that developers could use the TPM from within their own applicatons to:
  • Create private/public key pairs such that the private key never leaves the TPM in clear form and because of it the private key cannot be stolen.
  • Sign data without the private key ever leaving the chip
  • Encrypt data such that it can only be decrypted on the physical machine it was encrypted on
  • In protocols such as SSL that use key exchange, employ the TPM for a much better guarantee regarding the identities involved.
Testing the existence of TPM chip

For the purpose of testing your computer for existence of the TPM chip we will need to use a command line utility ioreg which displays the I/O Kit registry. Starting the utility without any particular switches, we can just filter the output while grepping for TPM. The result shows that TPM is present on my MacBook notebook:

Tools of the trade

For the purpose of mangling with the TPM chip, we need to use the following:

TPM Setup

Mac application released in mid June 2007 that can be used to setup and take ownership of your TPM. The software package is provided by the fine folks at Comet Way, which recently noted their plans to release a simple file encryption utility for your TPM Mac.


MagSpoof: A device that spoofs credit cards, disables chip-and-PIN protection

The device can wirelessly spoof credit cards/magstripes, disable chip-and-PIN protection, and predict the credit card number and expiration date of Amex cards after they have reported stolen or lost.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Nov 26th