Taking Ownership of the Trusted Platform Module Chip on Intel Macs
by Jonathan Austin - Thursday, 27 June 2007.
Important: TPM Setup is an Intel binary, therefor can be used just on Intel Macs. If you are into playing with TPM on non Intel Macs, checkout the references located at the end of this article.

TPM Setup can be downloaded from:

1) Comet Way: http://darkside.cometway.com

2) Help Net Security: http://net-security.org/software.php?id=675

OSXBookTPM.kext and tcsd

These are Amit Singh's kernel extension and the daemon needed for the whole TPM experience. These files were released under GPLv2, so the guys at Comet Way are redistributing them within the TPM Setup package. Bottom line, all the applications you will need are located in the same archive linked in the previous paragraph.

There are is a disclaimers the developers provided with the TPM Setup application. The software is provided as a demo and should be used on your own risk. From the technical perspective the only troublesome thing you can create is to setup and then forget the TPM password which could be a bad thing. You will also need to be at least a bit familiar with the UNIX Shell, but following the graphics from this article should be just enough.

Let's take the ownership of the TPM chip

As you could see from the first screenshot, TPM is enabled and activated. The only thing still needed is to take the ownership of it. This means that we need to setup two passwords: one for the TPM chip itself and the other one for the Storage Root Key (SRK).

TPM Setup can also reset a TPM by clearing it, enabling and activating it, and allowing the user to take ownership of the TPM. In this case two reboots will be required, once after clearing the TPM, and once again after enabling and activating it.

In our case of a "clean TPM", we won't need any reboots and the only interaction is entering two sets of passwords (can be identical). Before this, we need to use the Terminal and start the Amit Singh's tcsd daemon and load the TPM kernel extension:

As mentioned earlier, the support directory of the TPM Setup contains all the needed scripts, kernel extension and the daemon. Let's start the daemon with the tpmInit script:



The script needs administrative privilleges so the appropriate password needs to be entered. As you can see from the screenshot, kernel extension is successfully loaded and the daemon is started. Do leave this terminal window open and if you want to kill the daemon hit the Ctrl+C key combination.

Now when the daemon is started, we can open the TPM Setup application and take the ownership of the TPM chip. If because of some reason you didn't start the daemon or the start was unsuccessful, the following window will say that you should start the process again. In our case, everything is just fine:



Time to enter the user and SRK passwords:



Final phase: TPM is operational, activated, enabled and owned:



For stopping the daemon just kill the process and for removing the extension and tmp files use the tmpCleanup script:



Conclusion

The whole procedure covered throughout this article is not at all "mainstream", so TPM will currently be of use to an extremely limited number of users. Soon Comet Way will release the mentioned file encryption utility and there is always a need for enhancing the state of security on your Mac.

Spotlight

Android Fake ID bug allows malware to impersonate trusted apps

Posted on 29 July 2014.  |  Bluebox Security researchers unearthed a critical Android vulnerability which can be used by malicious applications to impersonate specially recognized trusted apps - and get all the privileges they have - without the user being none the wiser.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Jul 29th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //