On 2014-07-18 22:49, Tom wrote:
There are two valuable features of Windows, bitlocker and virtual smart card,
> that depend on the Tpm. That and recent hiring in the tpm team leads me to > conclude the tpm will be with us for a very long time.
The virtual smart card is IMO a complete disaster. Microsoft never released a specification either. Anders former member TrustedComputingGroup
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ From: Anders Rundgren <mailto:[email protected]> Sent: 7/18/2014 11:47 AM To: Tom Jones <mailto:[email protected]>; [email protected] <mailto:[email protected]> Subject: Re: [android-security-discuss] Re: The TPM is dead, long live theTEE! On 2014-07-15 20:55, Tom Jones wrote: > I think you miss the point. The TPM 2.0 spec is written to be enabled in the TEE. > What you say is limited to the TPM 1.2 spec. > Microsoft has been shipping TPM 2.0 in the ARM Windows RT for over a year. This is correct. But what is also means is that it is the TEE that is the new core. The TPM spec will only be used by Microsoft and probably only a couple of years more. Anders > ..tom > > On Monday, July 14, 2014 8:43:11 PM UTC-7, Anders Rundgren wrote: > > In spite of Microsoft, Intel and Nokia "betting the house" on TPMs (Trusted Platform Modules), all their competitors in the mobile space including Google and Apple, have rather settled on embedded TEE (Trusted Execution Environment) schemes like this: > > http://www.nasdaq.com/article/samsung-mobilesecurity-platform-to-be-part-of-next-android-20140625-00937 <http://www.nasdaq.com/article/samsung-mobilesecurity-platform-to-be-part-of-next-android-20140625-00937> > http://images.apple.com/iphone/business/docs/iOS_Security_Feb14.pdf <http://images.apple.com/iphone/business/docs/iOS_Security_Feb14.pdf> > > How come the competition didn't buy into TPMs? > > TPMs are based on a /"one-size-fits-all"/ API philosophy. Since /Intel relies on external vendors/ supplying TPM-components this (IMHO fairly unwieldy) API must also be standardized _making the process updating TPMs extremely slow and costly_. The constraints on silicon that existed during the "Palladium" days are since long gone. > > TEEs OTOH can be fitted at any time with /application-specific security APIs/ which both can be standardized or entirely proprietary. In fact, even third-parties can introduce new security APIs using GlobalPlatform's TEE. > > /Converted into practice/: _My old Nexus 7 got hardware-protected keys through an OTA update_ while my new Dell XPS-15 will be stuck with TPM 1.2 during the rest of its life! > > -- > You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]>. > To post to this group, send email to [email protected] <mailto:[email protected]>. > Visit this group at http://groups.google.com/group/android-security-discuss. > For more options, visit https://groups.google.com/d/optout.
-- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
