- Create private/public key pairs such that the private key never leaves the TPM in clear form and because of it the private key cannot be stolen.
- Sign data without the private key ever leaving the chip
- Encrypt data such that it can only be decrypted on the physical machine it was encrypted on
- In protocols such as SSL that use key exchange, employ the TPM for a much better guarantee regarding the identities involved.
For the purpose of testing your computer for existence of the TPM chip we will need to use a command line utility ioreg which displays the I/O Kit registry. Starting the utility without any particular switches, we can just filter the output while grepping for TPM. The result shows that TPM is present on my MacBook notebook:
Tools of the trade
For the purpose of mangling with the TPM chip, we need to use the following:
Mac application released in mid June 2007 that can be used to setup and take ownership of your TPM. The software package is provided by the fine folks at Comet Way, which recently noted their plans to release a simple file encryption utility for your TPM Mac.
Important: TPM Setup is an Intel binary, therefor can be used just on Intel Macs. If you are into playing with TPM on non Intel Macs, checkout the references located at the end of this article.
TPM Setup can be downloaded from:
1) Comet Way: http://darkside.cometway.com
2) Help Net Security: http://net-security.org/software.php?id=675
OSXBookTPM.kext and tcsd
These are Amit Singh's kernel extension and the daemon needed for the whole TPM experience. These files were released under GPLv2, so the guys at Comet Way are redistributing them within the TPM Setup package. Bottom line, all the applications you will need are located in the same archive linked in the previous paragraph.
There are is a disclaimers the developers provided with the TPM Setup application. The software is provided as a demo and should be used on your own risk. From the technical perspective the only troublesome thing you can create is to setup and then forget the TPM password which could be a bad thing. You will also need to be at least a bit familiar with the UNIX Shell, but following the graphics from this article should be just enough.
Let's take the ownership of the TPM chip
As you could see from the first screenshot, TPM is enabled and activated. The only thing still needed is to take the ownership of it. This means that we need to setup two passwords: one for the TPM chip itself and the other one for the Storage Root Key (SRK).
TPM Setup can also reset a TPM by clearing it, enabling and activating it, and allowing the user to take ownership of the TPM. In this case two reboots will be required, once after clearing the TPM, and once again after enabling and activating it.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.