Before you read this, you should know that I am not a security researcher. I am not an expert. But I have been recently reading many articles on the web and attending talks by both experts and non-experts on the topic of trusted computing, and found that often articles were either unclear or deliberately misleading. This is understandable -- some of the applications of trusted computing are decidedly political in nature. But many people seem to be confusing TCPA and Palladium with each other, and they are not the same. Here is my take on the technical differences between them.
Recently I have become interested in the idea of trusted computing. Trusted computing is about delegation of trust: currently, if I own a computer, I can (with sufficient time and skill) examine all of the software that runs on it, figure out how it works, and potentially change how it works. In effect, I have complete control over the programs in my computer, and hence anyone who gives me a program to run or data to use has to assume that I can do whatever I want with it once it is on my computer.
But what if this flexibility is a liability? There are many cases where someone wants to give you something, with restrictions: for example, your friend wants to give you a goofy photo of himself, but doesn't want you to post it on your web site. If he could somehow restrict what programs you could load the photo with, he could allow you to view it, but perhaps not upload it to your web server. Note that all trusted computing does is prevent you from uploading this data easily: you can still take a digital photo of your screen while the image is displayed and upload that, or if you are technically sophisticated you could use a logic analyzer to read the unencrypted bits off of your CPU's memory bus. (More compelling arguments can be made for trusted computing in video games and mass-media distribution, but deciding exactly what restrictions are made on content and when they are applied becomes a charged political rather than a technical argument.)
A trusted computer allows you to delegate trust: you can assure someone else that you are running the exact program they gave you, unmodified, and unaffected by other software that I happen to be running on the machine. The program that they gave you can then manipulate sensitive data without the worry that some other program on your computer may be copying that data to another file, changing the data, or somehow messing with the results of the program's computation. The "other" program may be something that you want to run, such as a debugger or a file copying routine, or it may be something you did not want to run, such as a virus or trojan horse.
Both TCPA and Palladium are mechanisms designed to implement trusted computing. Both can have similar uses, but their design goals and implementation are quite different. This is what I would like to address here.
TCPA (the Trusted Computing Platform Alliance) is a design proposed by a consortium of hardware manufacturers. As such, it appears to have the primary design goals of minimizing the changes to hardware required, and minimizing the amount of hardware required.
It works like this: when you turn on the computer, the CPU first starts to run the code stored in your BIOS. When that code tries to load the operating system, a TCPA enabled BIOS would check to see if the operating system supports TCPA. If so, then the BIOS would verify that the operating system has not been tampered with by the end user (using a cryptographic hash), and possibly decrypt the operating system using a cryptographic key. This means that the inner workings of this initially booted operating system can not be changed or examined by the end user. (Assuming they are not able to break into the BIOS and steal the keys.) The operating system can then do whatever it wants (such as load other pieces of the operating system, or launch programs) knowing that, when it was initially loaded, it was in a "known state". If the operating system is carefully designed, it can then guard its own set of cryptographic keys from the prying eyes of the end user, and use those to load applications in a secure mode as well.
The key feature of TCPA is that it only requires a secure boot process: once control is handed over to software, the software is entirely responsible for maintaining security. The TCPA hardware is a fairly small piece of simple hardware to add to today's PCs, and as a result of this IBM has already created laptops with TCPA support, and AMI just announced a BIOS with TCPA support.
Unfortunately, TCPA places a lot of demands on the software. If the kernel runs in a single address space, all of it has to be trusted not to tell the end user about any secret keys that are hidden inside of it. This may include things such as device drivers, which often are produced by people other than the original operating system developers. Developing such an operating system is hard: a good design would try to minimize the amount of code that can actually access the keys, which minimizes the amount of code that has to be security audited. Retrofitting a truly secure TCPA subsystem into an existing monolithic kernel operating system would probably be quite difficult. Because of this, in the near future TCPA hardware will probably only be used in small custom-application operating system, and not in existing general purpose operating systems like Windows or Unix.
Palladium is a design proposed by Microsoft. Unlike TCPA, it is much more liberal in proposing hardware extensions, while trying to minimize changes to the operating system. Palladium is designed based on the pragmatic assumption that you can't redesign the operating system from the ground up to support trusted computing, and instead trusted computing must be run as a module under an existing, relatively unmodified operating system (such as Windows). Also, since TCPA is a relatively simple hardware specification, it already exists. Palladium is still an evolving design, and so what I say here is subject to change...
A computer with Palladium support will boot Windows just like today's computers. Once booted, it can run all of today's software without any change. If you want to use the Palladium support, the operating system has to load in the Palladium subsystem. It does this by loading a small security kernel called the Nexus. The Nexus is responsible for loading in Palladium enhanced programs, and for moderating all communication between these programs and the non-Palladium world.
To load the Nexus, the operating system invokes special hardware: this hardware verifies that the Nexus has not been tampered with (using a BIOS routine), starts it running, and makes sure that the rest of the operating system and applications (which are not secure) can not tamper with the operation of the Nexus or the applications run under the Nexus. Note that this requires changes to the CPU: the CPU has to be able to isolate the Nexus from the influence of the main OS kernel, in a similar way to how the OS kernel usually isolates itself from the execution of user applications. The OS kernel must not be able to read or write to the private memory of the Nexus (a concept Microsoft calls curtained memory), so the Nexus can maintain its integrity.
Also, the Nexus does not fully trust any of the software in the rest of the system: this includes the OS kernel, the device drivers, or any applications run outside of the Palladium subsystem. If a program wants to get input from the end user it creates an encrypted tunnel to the keyboard hardware (since it doesn't trust the keyboard driver to not sniff keystrokes, the encryption must go through to the keyboard hardware itself). If the program wants to display output on the screen without risking other programs observing that output, it must use an encrypted tunnel through the OS to the video hardware.
What does this mean? It means that with Palladium, you don't have to redesign your OS from the ground up. But since you don't trust the majority of the operating system, you have to change the design of the CPU, BIOS, keyboard, video card, and sound card to allow programs to run and communicate with the end user in a secure fashion. I am not convinced that this is necessarily a better solution than TCPA, but it certainly more palatable to people with a large investment in legacy software.