On 12/07/2014 05:33, Anders Rundgren wrote:
> Somewhat unfortunate for Microsoft and Intel who have "bet the house"
> on TPMs (Trusted Platform Modules), all their competitors in the
> mobile space including Google and Apple, have rather settled on
> embedded TEE (Trusted Execution Environment) schemes enabling systems
> like this:
>
> http://www.nasdaq.com/article/samsung-mobilesecurity-platform-to-be-part-of-next-android-20140625-00937
>
>
> iOS:
> http://images.apple.com/iphone/business/docs/iOS_Security_Feb14.pdf
>
> How come the competition didn't buy into the TPM?
>
> TPMs are based on a "one-size-fits-all" security API philosophy. Since
> Intel relies on external vendors supplying TPM-components this (IMHO
> fairly unwieldy) API must also be standardized which makes the process
> updating TPMs extremely slow and costly.
>
> TEEs OTOH can be fitted at any time with application-specific security
> APIs which both can be standardized or entirely proprietary. In fact,
> even third-parties can crate new security APIs using GlobalPlatform's
> TEE!
>
> How about security? Since there is (generally) very little consensus
> on these matters, I should probably not dive too deep into this :-)
>
> Anders
Perhaps for another interesting example of the mobile industry's
legendary security foresight you might try to find a transcript or notes
from a talk two gentlemen by the names of Josh Thomas and Nathan Keltner
gave at recon in montreal this year titled "here be dragons: a bedtime
tale for sleepless nights." In it, they called out how terrible
inter-vendor coordination coupled with allowing several people to add
their own APIs to the trust zone code (in that particular case, a DRM
API) resulted in a trivial and complete read/write what where
vulnerability in the trust zone (as implemented by one particular
vendor), followed by code execution.
I really don't think "mobile didn't do this therefore it's {not
relevant,a bad idea}" is valid. The TEE has a different set of
problems, but it certainly has them, and I think it's managed to
embarrass a lot more people than TPM has during its tenure. Also, the
platforms are only converged on the surface (if that).
--Falcon K.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
