ThinkWiki - User contributions [en]

Embedded Security Subsystem

2005-07-21T20:15:14Z

H: /* Linux Support */

{| width="100%"
|style="vertical-align:top;padding-right:20px;width:10px;" | [[Image:ESS.jpg|IBM Embedded Security Subsystem]] __NOTOC__
|style="vertical-align:top" |
<div style="margin: 0; margin-right:10px; border: 1px solid #dfdfdf; padding: 0em 1em 1em 1em; background-color:#F8F8FF; align:right;">
=== The Embedded Security Subsystem ===
The Embedded Security Subsystem is nothing but a chip installed on the Thinkpads mainboard that can take care of certain security related tasks conforming to the TCPA standard. It was first introduced among the T23 models and is now under the name Embedded Security Subsystem 2.0 an integral part of most of the modern Thinkpads. The functions of the chip are bound to three main groups:
* public key functions
* trusted boot functions
* initialization and management functions

The purpose of the whole thing is to keep the users sensitive data out of range from software based attacks (like viruses, internet attacks etc.). One way the chip offers to achieve this is by providing storage for keys along with the neccessary functions to handle them within itself, so that a i.e. a private key never has to leave the chip (can't be seen by any piece of software). Besides this there are more complex topics covered by the functionality of the chip. If you want to find out more about it you can find good documents on the [http://www.research.ibm.com/gsal/tcpa/ IBM Research TCPA resources page].</div>
|}

==Trusted or Treacherous?==

TC - Trusted Computing - will be the biggest change of the information landscape since decades. Besides positive features like a more secure hardware storage for cryptographic keys, an analysis of the proposed TCG-standards shows some problematic properties. <br />
As Thinkpads of recent generations following the Thinkpad T23 ([[Embedded Security Subsystem#Models featuring this Technology|see the complete list of models]]) are equipped with this disputed TCG-/TCPA-Technology, it can be interesting, which promises of the TCG are fulfilled inside your ThinkPad and which parts of the TCG-specifications still seem to be a privacy issue for every user of digital devices like a MP3-player or a ThinkPad - so please read [[TCPA/TCG - Trusted or Treacherous|this article]] for more details.

==Linux Support==
Two linux drivers are available, a [[tpm|classical one]] and a [[tpmdd|newer one]].
Coverage of functionality of the first is unknown so far, the second is part of a bigger project aiming to provide a usable security framework.

David Stafford (one of the developers of the tpm code at IBM) on March 10, 2005 sent me the most recent version of the tpm-kml code. With his permission, I quote his email:

"I am attaching our latest driver and library.
This version is in the process of kernel mailing list review, and
will hopefully be accepted into the official kernel. It works
much better across various 2.6 kernels. Note that this builds
three modules tpm, tpm_atmel, and tpm_nsc. You modprobe the
tpm_atmel (for all current shipping atmel based systems), or
tpm_nsc (for the coming national based systems).

Also note that there is a conflict with the snd-intel8x0
kernel module (they each try to grab the LPC bus). You can
either: load the tpm modules first (such as in initrd or
rc.sysinit, before sound), or recompile the snd-intel8x0, turning
off the MIDI and JOYSTICK support. The latest 2.6.11 version
of snd-intel8x0 also reportedly fixes things."

Compiling this library was easy. Compiling the driver on my 2.6.8-686 (debian testing) laptop failed. But the library works with the driver I compiled from the tpm-2.0 package IBM made available on its pages (see the links below).

Gijs

The T43 requires a patch posted to the LKML by Kylene Jo Hall: [http://marc.theaimsgroup.com/?l=linux-kernel&m=111884603309146&w=2 LKML posting]. An updated patch for linux 2.6.12 is available [http://shamrock.dyndns.org/~ln/linux/tpm_2.6.12.diff here].

The atmel driver comes with 2.6.12.

==Versions & Features==
=== Embedded Security Chip ===
IBM introduced it's TCPA/TCG features with some of the [[:Category:T23|T23]] models. The earlier of them didn't yet have the Embedded Security Subsystem, but a kind of pre 1.0 version called the Embedded Security Chip. This chip had the following capabilities:
*Data communications authentication and encryption
*Storage of encrypted passwords

=== Embedded Security Subsystem (1.0) ===
The original Embedded Security Subsystem (in IBM documents there is no use of the additive version-number 1.0) claims to be compliant with TCG specs, but apparently did not fully implement any specific TCG spec.

The Embedded Security Subsystem has the following features:
*hardware key storage
*multi-factor authentication
*local file encryption
*enhances VPN security

=== Embedded Security Subsystem 2.0 ===
The Embedded Security Subsystem 2.0 conforms to the TCG TPM 1.1b specification, with a TPM manufactured by either Atmel or National Semiconductor.

The Embedded Security Subsystem 2.0 has the following features:
*hardware key storage
*multi-factor authentication
*local file encryption
*enhances VPN security
*TCG compliant

==Models featuring this Technology==
===IBM Embedded Security Chip===
*ThinkPad {{T23}}
===IBM Embedded Security Subsystem===
*ThinkPad {{A30p}}
*ThinkPad {{R31}}
*ThinkPad {{T23}}, {{T30}}
*ThinkPad {{X22}}, {{X23}}, {{X24}}
===IBM Embedded Security Subsystem 2.0===
*ThinkPad {{R32}}, {{R40}}, {{R50}}, {{R50p}}, {{R51}}, {{R52}}
*ThinkPad {{T40}}, {{T40p}}, {{T41}}, {{T41p}}, {{T42}}, {{T42p}}, {{T43}}, {{T43p}}
*ThinkPad {{X30}}, {{X31}}, {{X32}}, {{X40}}, {{X41}}, {{X41T}}
[[Category:Glossary]]

==TCPA/TCG clean models==
*all models produced before 2000
*all i Series models
*ThinkPad [[:Category:240X|240X]]
*ThinkPad [[:Category:A20m|A20m]], [[:Category:A20p|A20p]], [[:Category:A21e|A21e]], [[:Category:A21m|A21m]], [[:Category:A21p|A21p]], [[:Category:A22e|A22e]], [[:Category:A22m|A22m]], [[:Category:A22p|A22p]], [[:Category:A30|A30]]
*ThinkPad [[:Category:T20|T20]], [[:Category:T21|T21]]
*ThinkPad [[:Category:X20|X20]], [[:Category:X21|X21]], [[:Category:X22|X22]]
*ThinkPad [[:Category:TransNote|TransNote]]

==External Sources==
*[http://www.pc.ibm.com/us/think/thinkvantagetech/security.html IBMs ThinkVantage<sup>TM</sup> Technologies Embedded Security Subsystem page]
*[http://www.pc.ibm.com/presentations/us/thinkvantage/56/index.html?shortcut=ess& IBMs ThinkVantage<sup>TM</sup> Technologies Flash presentation - Embedded Security Subsystem]
*[http://www.research.ibm.com/gsal/tcpa/ IBM Research TCPA resources page]
*[http://www.prosec.rub.de/trusted_grub.html Trusted Grub]

How to make use of Dynamic Frequency Scaling

2005-07-21T20:03:29Z

H: /* using the sys interface */

===general===
Linux supports Dynamic Frequency Scaling for ThinkPads with mobile Pentium III, Pentium 4 and Pentium M processors.

===configuring the kernel===

====2.4 kernels====
Todo...

====2.6 kernels====

You need to enable the cpu frequency scaling for your kernel (usually your distros kernel will have this enabled):
CONFIG_CPU_FREQ=y

You need to load enable governors, if not already done in your distros default kernel:
CONFIG_CPU_FREQ_GOV_PERFORMANCE=y
CONFIG_CPU_FREQ_GOV_POWERSAVE=y
CONFIG_CPU_FREQ_GOV_USERSPACE=y

Since 2.6.10 there is the ondemand governor that does cpu frequency scaling in kernel so you dont need userspace programs like powernowd etc.
It can be enabled with:
CONFIG_CPU_FREQ_GOV_ONDEMAND=y

*If you have a Coppermine-piix-smi based Thinkpads like from the A2x, X2x and T2x series you need to enable the <tt>speedstep-ich</tt> driver in the kernel and load it if it's built as module. You might want to look at [[How to get SpeedStep working on Coppermine-piix4-smi based Thinkpads | this page]].

*If you have a p4-class celeron based Thinkpad like the R40e you might want to look at [[How to get SpeedStep working on P4-class-Celeron based Thinkpads | this page]]

===using the sys interface===

The files in {{path|/sys/devices/system/cpu/cpu0/cpufreq/}} provide information and a means of controlling the frequency scaling subsystem.
Seed values are given in Khz. You need to be root to access the /sys filesystem.

Your max speed is at {{path|/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq}}.
:{{cmdroot|cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq}}
:{{cmdresult|700000}}
Your min speed is at {{path|/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq}}.
:{{cmdroot|cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq}}
:{{cmdresult|500000}}
You can write to {{path|/sys/devices/system/cpu/cpu0/cpufreq/scaling_setspeed}} to change the current speed.
:{{cmdroot|echo 700000 > /sys/devices/system/cpu/cpu0/cpufreq/scaling_setspeed}}
:{{cmdroot|cat /proc/cpuinfo | grep "cpu MHz"}}
:{{cmdresult|cpu MHz : 697.252}}
:{{cmdroot|echo 900000 > /sys/devices/system/cpu/cpu0/cpufreq/scaling_setspeed}}
:{{cmdroot|cat /proc/cpuinfo | grep "cpu MHz"}}
:{{cmdresult|cpu MHz : 976.152}}

====using the sys interface with scaling gouvernors====

You can compile the scaling gouvernours into your kernel or compile it as module. You'll find the gouvernors with 'make menuconfig' here:
: Power managemant options (ACPI, APM) --->
:: CPU Frequency scaling --->

If the new kernel is booted, you can see with (as root)
:{{cmdroot|cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_available_governors}}
:{{cmdresult|conservative ondemand powersave userspace performance}}
what gouvernors are available.

A Short Overview over the available gouvernors:
# ondemand
#* This driver is a dynamic cpufreq policy governor. It changes Frequenzy based on the processor load.
# conservative
#* New since 2.6.12. Similar to ''ondemand''. Optimized for battery powered environments and AMD64.
# powersafe
#* Like the name says, your battery would choose this one ;). It sets the Frequency always to the lowest available.
# userspace
#* You have to choose this one, if other programs should manage your CPU Frequency.
# performance
#* This gouvernour sets your Frequency always to the highest available.

Now we set our gouvernor:
What is our current governor?
:{{cmdroot|cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor}}
:{{cmdresult|userspace}}
Set new gouvernor and watch if it has changed
:{{cmdroot|echo conservative > /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor}}
:{{cmdroot|cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor}}
:{{cmdresult|conservative}}

Congrats! Your gouvernor is active.

I set the gouvernor in my rc.local.

===configuring SpeedStep daemons===

Don't forget to enable the userspace governor to have a userspace daemon do the frequency scaling. If it is built as module, load it as <tt>cpufreq-userspace</tt>.
Note that since 2.6.10, there is also the ondemand governor in the kernel, which replaces any userspace daemon for cpu scaling and works very well.

There are plenty of userspace frequency scaling daemons available:

*[[How to configure cpufreqd | cpufreqd]]
*[[How to configure cpudynd | cpudynd]]
*[[How to configure speedfreqd | speedfreqd]]
*[[How to configure powersaved | powersaved]]
*[[How to configure powernowd | powernowd]]
*[[How to use cpufrequtils | cpufrequtils]]

[[Category:570E]] [[Category:600X]] [[Category:A20m]] [[Category:A20p]] [[Category:A21e]] [[Category:A21m]] [[Category:A21p]] [[Category:A22e]] [[Category:A22m]] [[Category:A22p]] [[Category:G40]] [[Category:G41]] [[Category:R30]] [[Category:R31]] [[Category:R32]] [[Category:R40]] [[Category:R40e]] [[Category:R50]] [[Category:R50e]] [[Category:R50p]] [[Category:R51]] [[Category:R52]] [[Category:T20]] [[Category:T21]] [[Category:T22]] [[Category:T23]] [[Category:T30]] [[Category:T40]] [[Category:T40p]] [[Category:T41]] [[Category:T41p]] [[Category:T42]] [[Category:T42p]] [[Category:T43]] [[Category:T43p]] [[Category:X20]] [[Category:X21]] [[Category:X22]] [[Category:X23]] [[Category:X24]] [[Category:X30]] [[Category:X31]] [[Category:X32]] [[Category:X40]] [[Category:X41]] [[Category:X41 Tablet]]