Google’s Chrome OS – Will Chromium and Trusted Computing Meet?

One exciting development to come out of Google’s recent announcement of their Chrome OS has been the support for Trusted Computing through the Trusted Platform Module (TPM) chip built into the specification from the ground up, but first, a slight aside. There are two operating systems, Chrome OS and Chromium OS, both of which support TPM, and both are basically identical, mirroring the similar Google’s Chrome and Chromium web browsers. The Chrome version is Google’s own branded version, the Chromium is the Open Source public release, but both in theory use the same code base. From here on I will use the more familiar Chrome term, although the applicable version of the browser and operating system is Chromium.

What does Chrome OS and TPM give us?

Trusted Computing, and the TPM, has a really poor image amongst Open Source fans, many of whom love Google, so support for a TPM in their new operating system induces a bit of cognitive dissonance. Do not worry, however, Google Do No Evil, and this philosophy is reflected in their approach. First, support for a TPM is only an option, although since Chromium is Open Source, any vendor can make the TPM mandatory. Next, if a TPM were to be present, the role described follows the Trusted Computing Group’s suggested method of implementing a Trusted Boot, a method that produces nothing more than just a trusted boot log through the use of trusted registers on the TPM.

This means that client applications, and remote servers, can attest to the state of the device and be able to tell if it booted into a known trusted state. Although from one point of view one might throw up one’s hands in horror at third parties checking out the configuration of the TPM and thus one’s operating system, the benefit is for banking applications, for instance, where the bank can query your TPM for the Chrome OS state, and if it decides it is an unknown, thus potentially insecure due to the possibility of spy software on the device, refuse you access to your banking details.

What does Chrome OS and TPM NOT give us?

A TPM does NOT prevent you hacking your device; Google from the get-go recognised that people will want to install not just their own operating system on the device, but also the firmware, so they have provided methods that allow the device to start up under these circumstances too. As the TPM is always a passive chip, there is no way that it can detect an unexpected operating system or firmware and prevent booting, despite what TPM detractors claim.

Indeed, if you have an enlightened bank and can convince them you know what you are doing, they might even offer a way to allow you to register a known-good system state based on your own personal software configuration, thus as described in the previous section, the bank could attest to your own personal TPM plus system configuration, thus accepting your own private device set-up, but detecting anomalies to that personalised configuration.

But why would I want a TPM watching over me?

In most homes there are probably two distinct classes of internet-connectable devices. The first is computers, the second home electronics like televisions or games machines. For private-use computers, TPMs are a bit of a hard sell, but for home electronics, you just want to switch on and have them work; the average user is not interested in anything other than the bog-standard out-of-the-box PlayStation. A device based on Google’s new OS falls more into the second category; you (with you being the average user, not you the leet haxx0r) just want it to work.

However, the internet is a big bad world, and full-time surfing can expose one to all kinds of potentially dangerous content that can infect one’s equipment. By adding a TPM into the mix, you as the user have an extra guarantee that the device is still in a secure and trusted mode. For example, after boot-up the Chrome OS-based device could query the TPM state and use that information to decrypt a message to display at login time, so if you saw a garbled message you could know the device is not in the expected state, then take measures to fix the problem.

Similarly, services you access can also query the state of the TPM within the operating system, and if the state is not recognised, take action to prevent illegal or invalid access.

Finally, since every TPM may have a unique identity, if your device is stolen, there may be systems in place to blacklist particular devices. A blacklisted device may be refused access to certain services, and (note the following is not a function of the TPM, but may be added by developers to an operating system featuring a TPM) then commanded to delete personally-identifiable data on disk or even within the TPM, or even more drastically, have a kill switch flicked, although that is not a very error-tolerant option!

Thus, with the TPM one can build a secure, trustworthy, user-friendly device that just works, like televisions and video recorders just work, thus if you are looking to get a Chrome OS-based tablet, picture frame, notebook computer, or whatever form-factor that appears, be sure to ask the vendor if there is a TPM within the device.

Source by Ken Yasumoto-Nicolson

Leave a Reply

Your email address will not be published. Required fields are marked *