Apple Mac OS X and Trusted Computing

“The Trusted Computing Platform Alliance (TCPA) was a collaborative initiative involving major industry players such as Compaq, Hewlett-Packard, IBM, Intel, Microsoft, and some others. The successor o the TCPA is th Trusted Computing Group (TCG), whose goal is to develop vendor-neutral standard specifications for trusted computing. Unfortunately, there are several aspects of trusted computing that are often misunderstood—in particular, its relationship to the controversial idea of Digital Rights Management (DRM). We will not discuss the pros and cons of trusted computing here: far too many expositions haven been written both for and against the concept. The purpose of this document is to discuss a specific piece of hardware found in certain Apple computer models: the Trusted Platform Module (TPM),” Amit Singh writes for Mac OS X Internals.

“Regardless of what the media has been harping on for a long time, and regardless of what system attackers have been saying about the ‘evil TPM protection’ Apple uses, Apple is doing no TPM-related evil thing. In fact, Apple is doing no TPM-related cryptographic thing at all in Mac OS X. Yes, I know, there has been much talk of ‘TPM keys’ and such, but there are no TPM keys that Apple is hiding somewhere,” Singh writes.

Singh writes, “More specifically, Apple simply does not use the TPM hardware. In Apple computer models that do contain a TPM, the hardware is available for use by the machine’s owner. Of course, to use it you need a device driver, which Apple indeed doesn’t provide.”

“I am releasing an open source TPM driver for Mac OS X, along with Mac OS X versions of popular open source trusted computing software from the Linux world. No reverse engineering was required to write this driver,” Singh writes. “The driver and the software stack together make trusted computing possible on Mac OS X, assuming you have a machine with a TPM. This page shows you how to ‘take ownership’ of the TPM and begin using it.”

Full article – very interesting and also quite technical in spots – here.

[Thanks to MacDailyNews Reader “—” for the heads up.]

12 Comments

  1. Now, quick… where is Oddyssey67?

    I would just like to relive those arguments of his from the last year or so: about how the iTunes store movies and music were going to be protected with TPM by Apple.

    I want to hear again how the end of “freedom” as we know it was imminent because Apple had joined forces with the forces of corporate protectionism.

    I want to hear the conspiracy theories again that reveal Apple’s secret plan to replace the PowerPC chip with the Intel chip solely to curry corporate favor by locking down content with the TPM technology.

    I want to know why it was ridiculous and naive of any of us to actually believe that Apple might possibly continue on its own previous path of generally minimal protection of content and trying to produce the best machines possible.

    Sure, sure, I can hear him say that this is only the opening round of TPM chips, and that this is just a PR move of goodwill to lull us into a false sense of security…

    But really, honestly, Oddyssey: I am glad to see that some of us were right to “read the tea leaves” and use Occam’s Razor for our conclusion – the simplest explanation is probably the correct one. The PowerPC path was meandering off into woods, while the Intel path was headed straight into the heart of San Speedland, in the heart of Power Valley.

    Thanks, though, for providing some of us with an education on the perils of TPM technology. Just in case I’m ever forced to work with or even (shudder) purchase a PC at some point, at least I’ll know what to look out for. ” width=”19″ height=”19″ alt=”smile” style=”border:0;” />

  2. Apple is avoiding the touchy issue of Trusted Computing by not (presently) appearing to have anything to do with the EFI based drivers required.

    I don’t like the idea of EFI being able to contact the internet, downloading and installing what it wants without my permission before the operating system even loads.

    Also forget about privacy, each TC machine verifies itself and it’s owner automatically.

    The EFI specification defines a new model for the interface between operating systems and platform firmware. The interface consists of data tables that contain platform-related information, plus boot and runtime service calls that are available to the operating system and its loader. Together, these provide a standard environment for booting an operating system and running pre-boot applications.

    en.wikipedia.org/wiki/Trusted_computing

    en.wikipedia.org/wiki/Extensible_Firmware_Interface

    http://www.intel.com/technology/efi/

    Apple is on the UEFI Group now

    http://www.uefi.org/index.php?pg=2

    Video about Trusted Computing (we can’t decide who to trust)

    http://www.lafkon.net/tc/

  3. And Rabid, these points (all valid concerns) are a long way from the wild speculation and fear-mongering that was being tossed around this (and other) sites during the year or so leading up to Apple issuing its first TC-potential machines.

    As to EFI contacting the internet pre-boot, um.. couldn’t you simply boot with your machine disconnected from the internet?

    And of course Apple is on the UEFI Group, as they are using the EFI boot system.

    But again, not to downplay these concerns – they’re things to be watch, <especially> when using software and equipment issued from LESS-than-reputable companies. What is HP’s record of protecting users privacy? What is Microsoft’s track record with protection schemes on their software?

    Now if I was buying a TC laptop from HP with Windows Vista on it… I’d be damn worried.

  4. blucaso & others:

    I’m right here fellas – have no fear. ” width=”19″ height=”19″ alt=”cool smirk” style=”border:0;” />

    First, let me point out what should be obvious; the author is emphasizing how these TPM chips are not being used by Apple. What he is not emphasizing, but what he clearly alludes to, is what they could be used for, by Apple or any other vendor – i.e. the things I and many others on this site (as well as every tech savy commentator around) have been concerned about regarding encryption of your files so as to make them unusable without authorization.

    Now if anyone’s paid attention to my comments from the beginning (and I don’t expect that number to be very large, b/c, frankly, who the hell am I), it should’ve been noticed that lately I’ve commented on the very fact that Apple hasn’t been using these TPMs. I’ve also been explaining why that is; b/c the reason for their adoption by Apple – to get the video media providers to pony up content for iTMS – has been overtaken by events.

    When Apple announced the Intel switch, Jobs had been stymied for months (maybe years) by Hollywood. They didn’t trust FairPlay (software DRM), any more than they trusted their business plans & profit making potential to Steve Jobs. So they leveraged their content to get Jobs to adopt a hardier DRM scheme, or else. Intel was favored by them b/c at the time that company sold like 90% of PC hardware worldwide, thus ensuring TPMs would be nearly everywhere. Jobs blinked, and the decision to switch was made.

    However, soon after that the Disney board revolt occured. A new CEO was willing to play a little ball with Apple, if for no other reason than to mend fences before Pixar was lost to them forever. Desperate Houswives & Lost were offered at substandard def resolutions, sold like hotcakes anyway, and thus the floodgates swung open. In no time flat, the lure of easy money totally overwhelmed the industry, who figured they’d figure out the whole TPM/DRM thing as they went. As long as the resolution was crappy, that was pretty good DRM on it’s own. Yet traversing the slippery slope had begun. It got real slick once Jobs sold Pixar to Disney outright in return for being majority shareholder. The whole Disney catalog was now open to him, at whatever resolutions he could make work, and if the rest of the industry had any financial sense (and they do) they would have to acknowlege that Jobs & Apple had the upper hand again. TPMs be damned.

    cont …

  5. I give Jobs credit – I think he knows that these little chips are bad for computers and bad for the media industry, and has fought to keep them shut off once it was clear he could win that fight. But make no mistake; he was so wedded to the concept of video downloads from iTMS first and foremost that he made a major hardware shift based on making that happen. And part of that shift included incorporation of TPMs into the process. If he had to, he was going to light them up, and all for a new way of watching movies. I didn’t think that was a good tradeoff then, and I still don’t now – it’s like bargaining with the devil.

    The silver cloud is this (from the article):

    “At the time of this writing (October 2006), the newest Apple computer models, such as the MacPro and the revised MacBook Pro, do not contain an onboard TPM. Theoretically, Apple could bring the TPM back, perhaps, if there were enough interest (after all, it is increasingly common to find TPMs in current notebook computers), but that’s another story.”

    Jobs got lucky. As I said, events outstripped everyone’s plans and expectations with regard to TPMs and how crucial they were going to be. I think the above information shows that Jobs feels so secure in his position now that he’s basically saying to Hollywood ‘f**k you’. If you look at what IBM just announced recently with the Power6 (a G5/970 derived superfast, super efficient multicore CPU), what IBM immediately announced after the Switch (a low power G5 that went right in the new iMac), and the myriad of seemless PPC upgrade options Apple had available to them (dual core G4s from Freescale, lowpower 64bit multicores from PASemi, and partnership with Nintendo on Broadway … let alone further Cell development), it all makes a costly x86 adoption seem more than a little dumb in hindsight. For Jobs this would have been foresight (meaning he knew all this was coming), so you have to think he has just a bit of tude for the entertainment industry.

    The thing every fan of the switch keeps forgetting is that Apple was achieving 40% sales growth of computers BEFORE the announcement – after that there sales fell back to earth, and have only recently gotten to the high 30% range again. nothing was derailing apple’s momentum at the time EXCEPT the switch itself! That caused more than a year of doldrums – and billions of dollars – lost forever. Apple didn’t need Intel to get to the level of succes they have now – they were already on their way.

    The upside is that there are some people who will benefit from having windows and OSX on the same machine, and big business – conservative lot they are – will come around quicker with ‘Intel Inside’ than they might have otherwise. I do think that’s a good thing going forward. But it wasn’t necessary, and certainly wasn’t the main reason for the switch. Those little TPMs and a video centric future WERE the drivers. The fact that they aren’t anymore can be classified under the old saying “the best laid plans of mice and men forever go awry”

    Later dudes (and sorry for the typos) ” width=”19″ height=”19″ alt=”cool grin” style=”border:0;” />

  6. Well, O67, I at least give you credit for a more creative version of revisionist history than I would have thought anyone capable of! ” width=”19″ height=”19″ alt=”LOL” style=”border:0;” />

    But thank you for the thought outline. I’ll be the first to disagree with many of your conclusions (as usual), but it is interesting stuff. That’s something, eh?

    As to the potential lay of the land if Apple had never changed to Intel – well, I do know that there was an uptick in interest in Macs B.I. (before the Intel announcement.) And the conversion to Intel did cost some short-term momentum.

    But do you remember the switch starting 6 months earlier than most anyone expected? And do you remember the jaws dropping on the announcement of Rosetta? These things were genius in allowing a smooth transition – and precisely WITHOUT a precipitous drop in sales. Look back at the Macs sold, especially the year over year by quarterly numbers. There’s not a huge momentum loss there, rather a very small one.

    Now look at the facts of life in the “real world of IT” (nods to Sputnik).

    1) Most big business uses Windows, and has little or no desire to change.

    2) Most people at home need at least some ability to work on business stuff or easily transfer stuff to those damnable Windows machines. Hence, most have Windows computers – even if they have Macs too, or even if they prefer Macs, or even if they might want to try Macs.

    3) Because nearly everyone is familiar with Intel-based PCs, they know how to compare features, chips, and prices of PCs.

    Apple’s switch to Intel and its introduction of Boot Camp just started a domino effect, working from point 3) up to point 1)…

    3) Now people can FAIRLY compare specs, speeds, and prices of Macs with the junk from Dell. Now they don’t have to “guess” how fast a PowerPC 1.2 Ghz chip is. We all know it never really mattered as much as people like to think, but computer buyers seem to really like quantifiable specs to measure their toys. Most people already can see the quality of iPods, MacBooks, and other Apple products. They already “know” the reputation is better. But now they can compare the quantifiable stuff without feeling stupid, or lost, or ignorant. Bravo!

    2) Now that they can compare fairly, they can also Boot Camp Windows. Nevermind that Office has been there all along for Mac. Nevermind that files are either globally exchangeable, or that translation software has existed for almost every proprietary file format known to man for as long as I can remember the name “DataViz” – NOW no one has to be convinced. NOW they can just boot Windows if / when they “need” it. Which means that now they CAN consider buying the Mac they prefer/want/are curious about.

    1) Finally, as more Macs are in homes, and as people bring more MacBooks & MBPros into the office, and as they are seen playing nicey-nice on the network and in the conference rooms and doing presentations (Wow… I can’t do that in PowerPoint. What program is that again?) . . . now you have the potential in ANY GIVEN COMPANY for a tipping point. The possibility exists that the company will now consider buying Macs.

    But see? Step 1 NEVER happens without Steps 3 and 2 being addressed. And NONE of this happens at any appreciable rate unless the Intel Switch is made.

    I find it difficult to believe any argument that the switch to Intel wasn’t necessary. I freely admit I don’t kow what chips might be in a new PowerPC Mac today, but I do know how slowly the advances were in coming up until the switch. I remember the era of miniscule speed bumps, heat problems in laptops and towers and cubes, long-term shortages of availability… the list goes on and on.

    But just on the basis of chip supply only – HOW was Apple going to grow at any appreciable rate if it couldn’t even meet demand? This was a seemingly constant battle with PowerPC. Not any more, it seems, and that alone probably justifies the switch.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.