Enabling DRM in the kernel?
| This article brought to you by LWN subscribers Subscribers to LWN.net made this article — and everything that surrounds it — possible. If you appreciate our content, please buy a subscription and make the next set of articles possible. |
Back in April, we looked at the Linux kernel patches for Intel's Trusted Execution Technology (TXT), a mechanism to verify the integrity of the kernel before booting it. Since that time, another version of the patchset has surfaced. The relatively few comments on the feature were largely concerned that there might be opposition to its inclusion—not because of technical considerations, but instead because of ethical concerns about what TXT could enable.
Ted Ts'o had the most to say about what TXT (also known as LaGrande)
enables, not necessarily in
opposition to adding the feature, but outlining the concerns of those who
might. He warned: "So we should
expect a certain amount of controversy and people
lobbying to resist the acceptance of this patch.
" The basic problem
is that TXT can enable Digital Rights Management (DRM) systems that are
largely uncrackable.
Pointing to a "Trusted Computing"
FAQ from 2003, Ts'o noted that five years ago, FAQ author Ross Anderson
"was able to predict the emergence of the LaGrande Technology
(see question 15 in the above FAQ).
" But, Joseph Cihula, author
of the TXT patch noted that some of the FAQ (and other Trusted Computing
complaints) had been rebutted
[PDF] in an IBM whitepaper by David Safford. But, as Ts'o pointed out, much of Safford's response was
specific to the Trusted Computing Platform Alliance (TCPA) technology,
which is essentially broken as a DRM lockdown solution:
With TXT, however, all of these problems go away. What you end up booting is completely under "[Circuit] City's DIVX's" control, and may include a miniature Windows environment running in the trusted environment; it could then take over a portion of the screen for the video output, and the hardware would have special features set up to prevent the host OS from having any access to the video output of the movie player running in the TXT environment.
Ts'o's message is worth reading in its entirety, but the basic point is that TXT enables Hollywood (or another DRM-happy entity) to take away some of the basic functionality of the hardware in order to preserve their "rights". Essentially, this takes away users' rights to protect companies' perceived or actual rights. The truly nightmarish scenario is one where one cannot do anything on a computer that isn't contained in a signed (presumably proprietary and closed source) application, running on a signed operating system. TXT could enable just that kind of functionality.
But, there are some scenarios (Ts'o mentions medical record access) under which TXT could be beneficial to the user. Other devices (voting machines and ATMs are the standard example) could benefit from TXT as well. Should kernel hackers stand in the way of adding this code to the kernel simply because it can be used for ill? The consensus, from the extremely limited subset of the kernel development community participating in the discussion, seems to be "no".
James Morris notes Linus Torvalds's famous "Flame Linus to a crisp!" message wherein he
says: "I want to make it clear that DRM is perfectly ok with
Linux!
". Morris more-or-less agrees with that view:
That sentiment is also shared by Ts'o: "That being said, it's not
clear to me that stopping the technology from going into Linux really isn't
going to help matters; realistically, the Linux desktop is miniscule[1],
and whether or not we add support for TXT in the mainline Linux kernel
isn't going to stop Hollywood's plans.
" His footnote refers to the
potential risk of TXT being used in Moblin to lock down those devices, but
"realistically, even if we don't let it into mainline kernel, it
won't stop Moblin hardware vendors from shipping it
".
This is a social, not a technical problem, as Ts'o says. There are powerful interests that certainly want to have that kind of power over the actions of their customers. It will be up to those who value their hardware and software freedoms (and, very likely, the courts) to ensure that those freedoms are still available. Avoiding DRM is not something that has gotten onto the radar of most consumers, but the content providers are doing their best to raise its visibility. One wonders how many revoked features for Kindle books or how much music that expires because it is crippled with DRM it will take before consumers start to rebel.
In the meantime, though, it seems likely that Linux will end up with TXT
support somewhere down the road. The objections have been
few—technical or ethical—at least so far, and the code obviously
exists. There is no barrier to a hardware manufacturer (or distribution)
incorporating it and enforcing whatever restrictions it wishes. Given that
there are benign uses as well, the code is likely to improve from its
inclusion in the mainline. When (almost certainly not "if") those uses
turn towards total lockdown, it will be a social battle, on multiple
fronts, to preserve the hardware and software freedoms we enjoy today.
| Index entries for this article | |
|---|---|
| Security | Integrity management |
| Security | Signing code |
(Log in to post comments)
Enabling DRM in the kernel?
Posted May 21, 2009 4:06 UTC (Thu) by PaulWay (guest, #45600) [Link]
Because it's Pedantic Thursday, I'd like to point out that the actual allegory would be "cat's paw"; in the Aesop's fable, the monkey asked the cat to fetch some chestnuts from the fire, and while the cat nursed its singed paw the monkey ate the chestnuts.
A monkey's paw is actually a gift that has unintended (terrible consequences), after he horror short story by W. W. Jacobs.
Have fun,
Paul
Enabling DRM in the kernel?
Posted May 22, 2009 17:29 UTC (Fri) by shapr (subscriber, #9077) [Link]
Today this company is doing Hollywood's bidding, tomorrow Hollywood owns them. Sounds scary to me.
Enabling DRM in the kernel?
Posted May 21, 2009 4:21 UTC (Thu) by fuhchee (guest, #40059) [Link]
...The relatively few comments on the feature were largely concerned that there might be opposition to its inclusion...So in other words, the thread seems to be pretty free of controversy, except for speculation that controversy might some day erupt, but not from those doing the speculating (since they can live with DRM/TXT in the kernel)?
#CONFIG_DRM_NONSENSE is not set
Posted May 21, 2009 6:05 UTC (Thu) by jimbo (subscriber, #6689) [Link]
Who actually requires this apart Hollywood and its like? I submit that the rest of the kernel code will be immeasurably improved by- Not supporting the TXT system
- Never including the patch in the mainline kernel code.
I think that including digital restriction management into the Linux kernel only panders to DRM's advocates, and serves only to restrict the freedom that we currently enjoy, including naive kernel developers.
--J
#CONFIG_DRM_NONSENSE is not set
Posted May 21, 2009 11:00 UTC (Thu) by tialaramex (subscriber, #21167) [Link]
I don't happen to like voting machines, a pencil & paper works for me, but lots of US states want machines, and if you want people in those states to know their votes count, trust in the machines must be improved.
I'm sure there are other examples, but as a matter of /social policy/ I don't believe this technology is appropriate in devices sold to individuals (and not just because of DRM), and would cheerfully support a ban on retail sale of devices incorporating a technology which prevents the purchaser from reprogramming them.
#CONFIG_DRM_NONSENSE is not set
Posted May 21, 2009 13:58 UTC (Thu) by anton (subscriber, #25547) [Link]
some independent authority says that version 1.4.26.8 of the software is OK, this type of technology ensures that every voting machine has 1.4.26.8 on it and isn't "upgraded" to a version that gives half the vote to whoever paid off the software vendor.That's right, this technology could ensure that not only the software vendor, but also someone who signs the software gets a share of the spoils (but in practice it will probably all go to the vendor of the voting machine, as they do the software and the signing).
Do the voters or the voting administration have any way to determine which software runs on the machine? Nope.
So the voting machine scenario is just a red herring. And vice versa, treacherous computing will be used to muddle the waters in the discussion about the security of voting machines.
#CONFIG_DRM_NONSENSE is not set
Posted May 21, 2009 16:06 UTC (Thu) by dw (guest, #12017) [Link]
I don't think such a scenario is far fetched at all.
#CONFIG_DRM_NONSENSE is not set
Posted May 21, 2009 17:19 UTC (Thu) by anton (subscriber, #25547) [Link]
I'd happily trust an electronic ballot if its source code and binaries were accessible, and the voting machine printed a hard copy signature based on my vote and the exact software version as recorded in the TXT state.A fine demonstration of the water-muddling aspect I mentioned:
How would you know that the software version on the voting machine corresponds to the available source code and binaries? The only way for you to be sure would be if you and only you held the keys that locked down the machine (and you would also need a way to know that the machine was not replaced with a lookalike, and that there is no hole in the lock-down mechanism). Otherwise this means that you just entrusted the vote to whoever holds the keys.
Apart from that, if the signature is based on your vote, you have just done away with the secret ballot.
I don't think such a scenario is far fetched at all.Unfortunately you are right. That is certainly one avenue that salespeople of voting machines will try to sustain their business model.
#CONFIG_DRM_NONSENSE is not set
Posted May 21, 2009 17:21 UTC (Thu) by tialaramex (subscriber, #21167) [Link]
As the people who have the key, the voting administration would in fact be the only people who'd decide this. Obviously such a system is useless if you give the key to people you don't trust, I can't believe I needed to write that explicitly.
treacherous computing for voting machines?
Posted May 21, 2009 19:24 UTC (Thu) by anton (subscriber, #25547) [Link]
As the people who have the key, the voting administration would in fact be the only people who'd decide this. Obviously such a system is useless if you give the key to people you don't trustSo you have replaced a system where any person can check that the votes are cast and counted correctly with one where we have to place blind trust in the voting administration. And if that was not bad enough, it's not the local administration that I had in mind, but some central agency (which makes any manipulation much more effective), and judging from the past, they will just delegate that power to the voting machine vendors.
Note that checking the casting and counting by any person was even possible in East Germany, as I recently heard in a 20-years-after documentation; a few people did that in a few precincts and got a result that had more votes against the ruling party than the official result for the whole country. This embarrassment for the ruling party and the election would not have happened with voting machines (locked-down or not).
#CONFIG_DRM_NONSENSE is not set
Posted May 21, 2009 12:49 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]
I need to secure systems against _physical_ intrusion (i.e. someone walking-in and stealing the server). In essence, I need to do remote system integrity attestation.
Right now, I'm using a modified version of GRUB (trusted GRUB) to establish validity of the kernel (and I was flamed to a crisp when I offered to help to port it to GRUB2 on the GRUB mailing list :) ). TXT support in the kernel would help much.
#CONFIG_DRM_NONSENSE is not set
Posted May 22, 2009 0:18 UTC (Fri) by jamesmrh (guest, #31622) [Link]
http://theinvisiblethings.blogspot.com/2009/01/why-do-i-m...
#CONFIG_DRM_NONSENSE is not set
Posted May 22, 2009 0:46 UTC (Fri) by njs (subscriber, #40338) [Link]
Enabling DRM in the kernel?
Posted May 21, 2009 12:13 UTC (Thu) by freemars (subscriber, #4235) [Link]
Blu-ray encryption cracks appeared within a few months after the format was released into stores. The designers had anticipated this and had a mechanism in place to revoke keys. Will Intel (and/or Microsoft) be ready to brick a line of CPUs after someone pokes a hole in TXT?
Enabling DRM in the kernel?
Posted May 21, 2009 21:12 UTC (Thu) by nix (subscriber, #2304) [Link]
would be insane from a security POV: if Intel can brick your CPU, one
crack into the location where Intel stores their keys and crackers can
brick all such CPUs. (Wherever the keys were stored would be a high-value
target and might last as long as days before being cracked wide open. If
need be a bit of custom theft would be carried out: criminal organizations
would love this data.)
As Intel aren't insane, I doubt they'll ever implement such a hardware
kill bit in their CPUs or chipsets. Even if they somehow escaped lawsuits
it would be an absolute PR disaster.
Enabling DRM in the kernel?
Posted May 24, 2009 12:54 UTC (Sun) by ras (subscriber, #33059) [Link]
There are lots of uses this technology can be put to. I always think of the electricity meter in your house. Its a piece of the equipment on your property which you happily give up control over. You give it up the control because you like electricity. Ditto for a cable smart card, a SIM in your phone, your drivers license, your passport, the odometer in your car. All things you aren't allowed to tamper with.
When it comes to TXT, you would probably be happy to let you bank have a private corner on your computer in return for not charging you fees for small transactions. Perhaps you might like to give part of it to your favourite distro as a build machine. Maybe you want it to run P2P software will not allow snooping, and will only talk to valid copies of itself.
There are lots of good uses. Sadly there are also lots of nasty uses as well. We do live in interesting times.
reason to fork the kernel ?
Posted May 21, 2009 12:25 UTC (Thu) by copsewood (subscriber, #199) [Link]
The kind of DRM support one kernel could provide can't fully support both sides of this war, in my view. If so, the solution may have to involve forking it. GPL3 enables DRM to be included but requires the end user to be provided with a copy of the keys, so the end user can still benefit from DRM, e.g. by helping secure their system for purposes agreed with by the end user, while retaining freedom to change things when and as required. GPL2 enables DRM to be included where no such requirement exists and freedoms to modify and study previously intended through the GPL license can be barred.
The problem will be with those intending to develop a GPL3 fork having to start pretty much from scratch based on parts of the kernel for which contributors are willing to make contributions available under GPL3 only, or BSD, or public domain or dual licensing compatible with the GPL3.
Enabling DRM in the kernel?
Posted May 21, 2009 13:03 UTC (Thu) by fritsd (guest, #43411) [Link]
Think about it: Hollywood could start selling "special-purpose video watching computers", medical companies could sell "special-purpose locked-down ISO-13485 compliant medical devices" but at least you'd know what you're buying.
At this moment, the purchase of a general purpose computer carries the unwritten assumption that this computer is for your own use and that you can do with it what you want (as long as you don't break any laws).
Voting computers are just a really, really bad idea in general, IMHO:
http://wijvertrouwenstemcomputersniet.nl/English
Enabling DRM in the kernel?
Posted May 21, 2009 16:11 UTC (Thu) by copsewood (subscriber, #199) [Link]
Enabling DRM in the kernel?
Posted May 22, 2009 5:13 UTC (Fri) by eru (subscriber, #2753) [Link]
Think about it: Hollywood could start selling "special-purpose video watching computers"Hmm, isn't this already done? They are called "DVD players" (or "Blu-ray players"). Theoretically hardware, but much of the functionality in them is really implemented by a computer and software. The Blu-ray system even requires the player to be able to run Java bytecode programs from the disc, and some players include networking.
Enabling DRM in the kernel?
Posted May 23, 2009 16:16 UTC (Sat) by DusteD (guest, #49423) [Link]
TXT could lead to much evil, even if it's optional. I could imagine non-free drivers that required TXT functionality to be enabled in order for them to be installed.
It does not make the kernel faster or better, throw it away.
Enabling DRM in the kernel?
Posted May 29, 2009 0:59 UTC (Fri) by iamblue (guest, #58623) [Link]