Open Source Security » Trusted Computing

Installing and configuring eCryptfs with a trusted platform module (TPM) key

Emily Ratliff — Mon, 10 Nov 2008 21:33:55 +0000

Mike Halcrow has written a paper on Installing and configuring eCryptfs with a trusted platform module (TPM) key. This paper is available on IBM Systems Information Center along with a bunch of other step-by-step guides.
This paper describes how to use a TPM key directly with eCryptfs. It demonstrates the flexibility of eCryptfs’ pluggable key module framework. Since the TPM wasn’t designed to do bulk encryption, if you actually set eCryptfs up this way, you’ll get pretty low performance, but it is an interesting exercise nonetheless and if you have small bits of information that you want strongly protected, this does provide one good option. I hear that Mike is working on replicating this experiment with a wrappered key which should provide much better performance but requires a little additional code.
In addition to showing how to integrated the TPM with eCryptfs, this paper also contains a step-by-step descriptions on how to do ancillary operations like how to enable encrypted swap in Red Hat Enterprise Linux 5.2 and how to get your TPM up and operational. This side content alone makes the paper useful.

Red Hat Enterprise Linux 5.2 contains two security Technology Previews

Emily Ratliff — Wed, 21 May 2008 21:47:29 +0000

Red Hat Enterprise Linux 5.2 was released today. That is significant news in and of itself, but I am especially excited because it contains Technology Previews of eCryptfs, TrouSerS, and tpm-tools! As Technology Previews, they are not yet supported for production use, but this is the first step to allow for experimentation and time for ripening. I’m happy to see Red Hat’s continued dedication to security. If you try these packages out in RHEL, I’d love to hear of any successes or problems that you encounter.

[1] http://www.press.redhat.com/2008/05/21/red-hat-enterprise-linux-52/
[2] http://ecryptfs.sourceforge.net/
[3] http://trousers.sourceforge.net/

Hal Finney’s Experimental Privacy CA

Emily Ratliff — Mon, 14 Jan 2008 21:34:52 +0000

A longstanding limitation of doing remote attestation between “strangers” has been eased through some experimental work that Hal Finney recently announced on the TrouSerS user’s list. Hal has announced that he has created a Privacy CA at PrivacyCA.com. Question 2.1 of the TrouSerS FAQ contains a graphic showing the prerequisite pieces for doing remote attestation. Hal has filled in the Privacy CA and notes that Infineon does supply the Endorsement Credential. He also provides a “test and debug mode” so that users of other TPMs can still experiment with the service without the guarantee that they are using real TPMs. Up to now, attestation keys had to be exchanged via sneaker net (manual exchange and verification before attestation was possible) to enable machines to do remote attestation. Hal’s announcement represents a great leap forward in the usefulness of TPMs.

1. http://sourceforge.net/mailarchive/forum.php?
thread_name=da7b3ce30801131643j74be4064l52daa8c0e90efa83%40mail.gmail.com&forum_name=trousers-users
2. PrivacyCA.com
2. http://trousers.sourceforge.net/faq.html#2.1

Trusted Computing Group Blog

Emily Ratliff — Sat, 22 Dec 2007 03:45:06 +0000

The Trusted Computing Group has launched a new group blog. The actual bloggers haven’t yet been announced, but presuming that they will include some people who are already actively writing about Trusted Computing (say Steve Hanna, Marion Weber, Dave Challener, perhaps) it will be a blog worthy of attention.

New book on Trusted Computing

Emily Ratliff — Wed, 19 Dec 2007 21:59:18 +0000

Current and former co-workers, Kent Yoder, Dave Challener, Ryan Catherman, Dave Safford, and Leedert van Doorn have written a book called A Practical Guide to Trusted Computing. It’s now available for pre-order on Amazon and will available on Jan. 7, 2008. The authors have been instrumental in the creation of the TCG specs and key open source software, for example, Dave led the TSS Working Group for years and Leendert was on the Board of Directors. I reviewed an early copy of the book almost exactly a year ago. My favorite parts of the version that I read were the chapters on TSS along with the sample code for how to use the TSS API and the chapter on use cases for Trusted Computing (for the sheer fun of it). I think that it definitely lives up to its billing as a practical guide and it provides a complete grounding in the concepts of trust, attestation, measurement, etc. that are foundational to Trusted Computing. It is very readable and is a faster read and shorter than it seems because of the reference information included. I haven’t yet seen the ultimate version of the book, but I’m eagerly awaiting my copy from Amazon. Congratulations to the authors for sticking through the long haul and providing such a useful book!

Knoppix Live Image with Trusted Computing Features

Emily Ratliff — Mon, 03 Dec 2007 20:46:21 +0000

If you want to try out some of the Trusted Computing features but don’t want to add them to your running system, check out this version of Knoppix that Japan’s National Institute of Advanced Industrial Science and Technology (AIST) produced with IBM Tokyo Research Lab. It includes Grub-IMA, Linux-IMA, TrouSerS, tpm-tools and TPM Manager(by rub.de). More features are still being developed. Thanks to Seiji Munetoh for pointing this out to me. I downloaded it and tried it on my T42p and it is very clean and slick.

It’s available from http://unit.aist.go.jp/itri/knoppix/index-en.html

Steve Hanna’s article on NAC

Emily Ratliff — Mon, 03 Dec 2007 16:06:48 +0000

Steve Hanna has written an excellent introductory article[1] on Network Access Control (NAC) discussing the motivations for implementing NAC and how Trusted Computing can help further secure NAC. Trusted Computing works well here because while the endpoint can still lie, it gets noticed that the endpoint is lying even if the exact lie is not known. The lie is detected because the measurement log no longer matches the signed quote of the PCR values. IBM Research wrote an excellent paper in 2004 describing attestation in detail as implemented on a Linux system: The Role of TPM in Enterprise Security[2].

[1] http://www.esj.com/news/print.aspx?editorialsId=2904
[2] https://www.trustedcomputinggroup.org/press/news_articles/rc23363.pdf

ENISA Quarterly Features Trusted Computing

Emily Ratliff — Wed, 28 Nov 2007 23:19:07 +0000

The current magazine from the European Network and information Security Agency (ENISA) highlights Trusted Computing in their current issue of ENISA Quarterly [1]. There are four articles on Trusted Computing - one which compares TC to automobile airbags. There is an interesting article on Trusted Computing from a European perspective which covered the workshop by the same name held in Germany earlier this year. Another article touches on the OpenTC project’s goal of providing European citizens “informational self-determination” in a secure context. Also noteworthy is the call for papers for Trust 2008.

[1] http://www.enisa.europa.eu/doc/pdf/publications/enisa_quarterly_09_07.pdf

Trusted Computing and the Trough of Disillusionment

Emily Ratliff — Fri, 26 Oct 2007 01:56:52 +0000

RSA London is going on this week and professional blogger David Lacey is blogging that not much interesting is going on, but that he was very excited to meet Steve Hanna. Steve says that 2008 is going to be the year that Trusted Computing breaks out.[1] I hope he is right! Gartner for 2006 still has Trusted Computing sliding into the trough.[2] But the saddest testament to the slow uptake on Trusted Computing is that Gartner uses it as an example technology to explain two different factors that can cause a technology to have a “Long Fuse” (that is to spend more time than average in the Trough of Disillusionment).[3] I am starting to see some signs that the deep trough that the technology has been in the past couple of years is coming to an end (more on this later) and Steve’s optimism is heartening.

[1]David Lacey, Trusted Computing Hits the Road
[2]Gartner’s Hype Cycle Reports Click on Information Security and look at the table of contents to see where Trusted Computing Platform is listed in the latest Hype Cycle.
[3]Understanding Gartner’s Hype Cycles