[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Separate trusted computing designs

From: Jonathan S. Shapiro
Subject: Re: Separate trusted computing designs
Date: Wed, 30 Aug 2006 15:14:45 -0400

On Wed, 2006-08-30 at 14:56 -0400, Jonathan S. Shapiro wrote:
> I am not aware of any general-purpose computer that is "designed to deny
> *owners* access to install or run modified versions of the software
> inside them". Perhaps some are being developed. This description
> certainly does not fit the TCPM-based technology that is being
> implemented in PC's.

Full disclosure:

I *am* aware of at least one open source vendor that *will* design a
device that will deny this access to owners: The EROS Group, LLC.

The device is a surgical instrument. To ensure the safety of patients,
the ability to revise the device firmware is restricted. While a
hospital may own the device, the hospital is not competent to rebuild
the firmware or to certify it. Setting this aside, there is an obvious
safety problem with any firmware replacement that might be installed
through error or mistake. For both reasons, it is appropriate to
restrict the update process in a way that helps to ensure that the
certification process has been run properly on the update.

This is a case where the interests of the patient clearly override the
interests of the owner. While it will run open source code, this device
is not (and should not be) an open device.

We are also designing a broader range of devices where the TC-equivalent
boot firmware will not be replaceable unless the OS is trusted. The
owner of this device would be able to install any OS they want, but an
OS that has not been signed by us will not be able to replace the secure
boot firmware. This does not stop the foreign OS from running, but it
*does* prevent the device from authenticating itself if a foreign OS is
executing. The devices in question perform critical sensing functions in
the context of a sensor and actuator network, and may be subject to
organized, professional, and well-funded attack. In the view of the
customer/owner, it is an essential requirement that no unauthorized
update be installable in such a way that the device can masquerade as
authentic. In many cases, the owner will choose to actively prohibit any
OS update where the OS is unsigned.

Believe it or not, this isn't a military application.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]