Intel to include DRM in new Pentium 4 series processors

Brian Gladman brg@gladman.plus.com
Thu, 12 Sep 2002 19:40:32 +0800 

From: "Matthew Astley" <lists-ukcrypto@fruitcake.demon.co.uk>
To: <ukcrypto@chiark.greenend.org.uk>
Sent: Wednesday, September 11, 2002 5:45 AM
Subject: Re: Intel to include DRM in new Pentium 4 series processors


> On Tue, Sep 10, 2002 at 09:40:35PM +0100, Graham wrote:
> > On Tuesday 10 Sep 2002 5:35 pm, John Sullivan wrote:
>
> > > It still needs Palladium to work - so OpenSource we go!
>
> I see a clear need for a "Do not feed the animals" sign across Intel's
> cage. If the hardware companies get burned on this, it might go away
> for a while. Software has to be cheaper than hardware, so Intel is
> taking the risk here.

Over the last two years I have been briefed in detail on TCPA developments
and also briefed in detail (under Non Disclosure Agreements) on a number of
implementations of TCPA being undertaken by major companies.

I think Ross is right to suggest that the community at large needs to
understand TCPA and its derivatives and hence make a judgement on the impact
that this technology will have on the market.  I hence thought that it might
be helpful if I set out my own position (TCPA is evolving so this is subject
to change).

At one level TCPA (I will use this term to cover both TCPA and the related
implementations) allows a PC owner to have a higher confidence in the
software that is running on their machine.  It will offer secure boot
protection, secure driver loading and verification and OS metrics that allow
a _machine owner_ to determine and verify what OS and what application
software runs on their machine.  All of these facilities are under the sole
control of the machine owner and they can if they wish switch them off (this
is the default).

It is true that a company can take GPL'd software and provide it in a form
that allows the user to say that it is _this_ particular version of the
software that they want to run.   The company providing this software has to
comply with the GPL (assuming that this holds up legally) and this means
that anyone else can compile and sign this software and a PC owner can
choose to use this alternative.  They can do this themselves if they choose
or they can take the software from any Free Software/Open Source distributor
that wishes to supply TCPA signed OS or applications software.

Ross and others see this as a threat to the GPL but I am not convinced by
these arguments. I want a machine with a secure boot sequence and I am happy
to be able to set my machine up in a way that allows me to specify the OS I
want to run and check that it has not been modified since I installed it.
In my view, when implemented in a way that provides public accountability
for design and operation, these are good features.  In consequence I feel
that an effort to cast these features in a bad light is misguided and is
diverting attention form _much_ more important problem areas in TCPA.

A key feature of TCPA is that, subject to the PC owner's permission, remote
agents can set up 'trusted boxes' for their use on an owner's PC.  Hence,
for example, my TCPA enabled PC could have boxes labelled
TCPA<BRG>.MicrosoftBox, TCPA<BRG>.WaltDisneyBox and so on.  The remote
'owner' of these boxes can then install cryptographic keys and other
authorisation tokens in these boxes and couple these to machine metrics so
that, for example, any software or content that they supply will only be
useable on the machine if it is in a state that they specify.  This _is_
Digital Rights Management (DRM) and here I support Ross's desire to ensure
that the community at large knows precisely what they will be letting
themselves in for in buying and using a TCPA enabled machine.

In my discussions with the companies involved I have put _great_ weight on
ensuring that these DRM like facilities are under sole control of the PC
owner.

I expect the following to be true:
(a) TCPA features can be switched off completely.
(b) A remote agent requires the explicit permission of the PC owner in order
to install a 'trusted box'.
(c) At the point of a contract between a PC owner and such an agent (e.g. a
software supplier) the full consequences of the contract will be set out
(e.g. no later changes to what the trusted box can do).
(d) A code of ethics on the use of these features will be published and
'agreed' by the community at large.

In the hands of an informed and vigilant owner these safeguards will be
sufficient in my view to protect their interests in a DRM sense.

But I am very unsure that this will be sufficient.  The _big_ problem here
is that most owners will not understand these issues and this may mean that
suppliers will be able to use these facilities in such a way that the
balance of power in the market will shift away form PC owners to suppliers.
And while it is not unreasonable for suppliers to want some way of
protecting their 'crown jewels', we all know that this power will not simply
be used for this purpose but also to fragment the market and boost profits
in the way that DVD suppliers have tried to do with region coding.

Hence, while I disagree with Ross on the GPL issue, I support Ross's
concerns here.

But I also have additional worries.  While it is true that some TCPA
features can help in a limited way to prevent virii, worms etc., other
features might well prove to be a hacker's paradise.  A user who does not
fully understand the nature of the 'trusted boxes' on their machine could
easily be persuaded to allow the installation of a box that gave a hacker a
powerful influence over the operation of their machine.  Those who have
studied crypto-virus techniques will immediately recognise the seriousness
of this form of attack and that a 'trusted box' would be a pretty well ideal
hiding place from which to conduct operations of this kind.

The TCPA way around this is to suggest that the ability to install trusted
boxes will be controlled by a third party called a 'privacy CA'.  This CA
will, in effect, say to the PC owner "the remote agent who wants to install
a trusted box on your machine is a good guy" and to the remote agent "the PC
on which you want a trusted box can supply one".  And I see this as a big
problem since I am _very_ sceptical about the security value of third party
CAs.

At this stage, therefore, I don't have a problem with TCPA features that are
designed to allow PC owners to exert better control over the security of
their machines (secure boot, OS signing etc.).  But in respect of the DRM
features, I am distinctly uneasy about their functionality in the hands of
the average PC owner and on the way in which this may change the balance of
power in the market.  I am also worried that these features might actually
help very powerful forms of attack and I am unconvinced about the reliance
of key aspects of the architecture on third party CA principles.

I apologise for the length of this post but this is a very important issue
and one that deserves careful study.  I hope that by setting out my own
thoughts I can encourage others to take a look for themselves (TCPA
specifications are openly available). In my view it is vital that these
developments are subjected to careful and determined open scrutiny before
they enter the marketplace.

Finally I want to make it clear that I am consulted on TCPA regularly and
also consulted by a number of the companies who are building related
implementations.  At no time have I ever taken money for this consultation
work and where I have signed NDAs these only constrain my ability to reveal
proprietary implementation details.  At no time have I hidden the fact that
I do this work, nor have I ever advertised the fact for self aggrandisement
purposes.

  Brian Gladman