Seagate: The Hard Drive, Reconsidered
Relocating the Root of Trust
The principle of the Trusted Computer, as the Trusted Computing Group defines it, is actually in effect now. In fact, Intel is certifying the technology with which system builders can produce Trusted Platform Module (TPM)-equipped systems today, under its vPro logo. AMD's implementation of the TCG specification is called Secure Execution Mode (SEM), though it hasn't yet organized a promotional program around the idea.
Meanwhile, Microsoft's nearly notorious version, once code-named "Palladium," is now embodied in a kind of silver cloud of uncertainty called the Next-Generation Secure Computing Base (NGSCB). The state of that program is perhaps best exemplified by its official Microsoft home page, whose own title bar, you'll note, confuses NGSCB with another initiative entirely.
BetaNews spoke with Dr. Michael Willett, senior director of Seagate Research, at some length about Seagate's work with the TCG. About Intel's, AMD's, and Microsoft's implementations thus far, Dr. Willett noted, "All three share the concept that you have these enclaves of hardware that do sensitive computing. You connect to these sensitive enclaves inside an otherwise inherently insecure larger system. So you drop your sensitive computing down to a piece of hardware when the sensitive computing is needed, and then you interconnect these little enclaves, or islands of trust, for their own purposes, through secure messaging. Then they contribute back to the larger environment, because they all recognize that an open platform software environment is inherently insecure. It's where all your attacks are occurring. So it's in everyone's strategy to do this."
In other words, there are TPMs in a great many computers today, quite possibly in yours. A TPM's sole purpose is to sit alongside the CPU and make itself available, for the express purpose of validating cryptographic certificates, but not to be addressable or accessible to the network. With a TPM in place, hardware on the platform and software in the operating system rely upon each other's presence for authenticating each other's processes. The multiplicity of these so-called "trusted components" is one key to their reliability.
In a way, that's the problem: the TPM's proximity to the CPU. While there's no way to hack a TPM because it's not open to the network, one can (theoretically) hack a CPU to make it "believe" it's communicating with the TPM when it's not. So while you can trust the TPM, you can't necessarily trust the CPU to always behave as though it's trusting the TPM.
Dr. Willett is one of Seagate's principal liaisons to, and a leading authority within, the TCG Storage Workgroup. Its original mission was to establish a protocol for trusted communications between the computer platform and storage devices ("SDs," to use the TCG term). But that mission soon became somewhat broader, as it discovered after compiling a set of about 50 "use case scenarios" for TCG models that include SDs.
Seagate's implementation of the Trusted Platform, which includes its solution to the TPM placement problem, is called DriveTrust, and was formally unveiled last month.
"We looked at the environment of a storage device and a peripheral device in general," Dr. Willett told us. "What we found was that...a peripheral device typically is a more guarded, protected, and closed system, by its very nature, than a platform, like a laptop, PC, or server. [These platforms] are all designed as totally open platforms with software operating systems, lots of APIs for writing applications. That's the good part; the bad part about a platform is, all the APIs and all that openness - and, by the way, all that software - makes it very vulnerable to the whimsy and attack of viruses and all sorts of things. Sort of a push/pull situation."
"We have a contrary situation with the storage device, especially a hard drive," Dr. Willett continued. "The only injuries to a drive are [caused by] the read/write mechanism to the memory itself. There's no external access to the processing and the hidden memory inside the drive. All that is totally closed to the outside world. We have a couple hundred megs of hidden memory in the hard drive set aside that isn't even addressable from the platform, the outside world. So we take advantage of that hidden memory to do the function of the drive itself. And there's a full-blown computer in there too; we have ARM processors and very complicated processors that run the daily business of the drive."
It becomes very tempting to suggest that the hard drive's closed nature makes it the perfect location for a TPM chip - more so than on the motherboard. There's problems with that idea, though, one of whose culminations appears like Seagate's version of the Heisenberg Uncertainty Principle: By opening up the sarcophagus to add the TPM, you lose the virtue of its closed design.
As Dr. Willett remarked, "One reason we don't have a TPM chip in there is because the abstract properties of a TPM chip are immutability and a high degree of protection. On an open platform, we get [these virtues] from a piece of hardware, like a chip." Furthermore, a TPM is by design a passive device, initiating no functions on its own - if it did, its very addressability could lead to it being spoofed. Meanwhile, a storage device has a completely dependent relationship upon the platform. It must be addressable, otherwise it can't function.
So while you might think this would disqualify the hard drive from becoming a trusted component, the TCG Storage Workgroup came up with an altogether different proposal: "In a closed storage device like a hard drive, we can, in a sense, emulate, that same immutability and protection [using] just the innate properties of the drive itself."
What Dr. Willett is referring to is a trusted software stack that emulates the primary functions of a TPM in software, which is then run by the drive controller. "Once you're up and connected," he explained, "then it's a multi-component, trusted system. You want to then think of the storage device as providing kind of a general-purpose security environment. It's like a protected enclave in hardware. It sits behind a privileged set of commands called Trusted Send / Trusted Receive, that have been internationally standardized by SCSI and ATA."
What he means is, SCSI and ATA protocols have already been adapted to use internal drive commands that rely on the trusted software stack to certify the reliability of read and write operations - this isn't something that is going to happen in some projected, far-off future, it's happening now. What happens next is, these same commands will then be leveraged to enable TCG operations to take place inside the hard drive, completely secluded from both the system BIOS and the operating system, though performing the functions of a TPM chip.
"So if you're a banking application," Dr. Willett supposed, "and you want a digital signature performed in a highly protected environment, not just in software, you could invoke the signature function on the drives to do [that] for you. If you want to store a piece of medical information in a very privileged, normally non-addressable position in the drive, only accessible through Trusted Send/Receive, then you could store a credential in the privileged storage location in the drive. You could take advantage, in other words, of the whole security set of functions on the drive as an application. So what you're getting is more reliable, trustworthy, more closed, naturally virus-proof. Nothing else can get in the drive."
Next: Who benefits, and how soon?