Winstep

Software Technologies


 Winstep Forums


Print view
Board index : Winstep Forums : Articles  [ 4 posts ]
Author Message
 Post subject: What REALLY is a TPM and why is Windows 11 demanding it?
PostPosted: Fri Apr 29, 2022 10:50 am 
Offline
Site Admin
Site Admin
User avatar

Joined: Thu Feb 26, 2004 8:30 pm
Posts: 11927
As everyone knows by now, in order to run Windows 11 you need a system that supports TPM (Trusted Platform Module).

This enforcement from Microsoft alienated a very large proportion of Windows users that are still running older systems. Microsoft must have known this, but it went ahead with this requirement anyway. It must have had some VERY strong reasons.

Personally I think this has very little to do with security, and more to do with Microsoft's long wet dream of turning Windows into a closed garden (where you can only run what is allowed by/sold through Microsoft), and/or a service where you RENT the OS for a monthly fee instead of buying it.

TPM would allow Microsoft to remotely validate software, thus deciding what is allowed to run and what is not.

Anything you install on your PC would have to be approved by them and be downloaded from their Windows Store (netting them 30% a pop for ALL software) - much like it happens now with Android phones. Microsoft tried this with Windows 8 and UWP apps and it (thankfully) failed. We would see people having to jailbreak their PCs, much like they now jailbreak their phones, in order to run non-authorized software.

There is another mostly unknown risk of enabling TPM on a PC: if you encrypt your hard drive via Bitlocker, the crypto key is stored in the TPM chip itself. If your motherboard fails or you switch to another motherboard (even if it is the same brand and model) and you don't have a backup, you can wave bye bye to all your data.

Anyway, one of the best explanations for TPM and what it does I ever read was by a user nicknamed Forest in a StackExchange post HERE (please click the link to see the original post).

Below is a copy of his original post (the text in bold is a reference to the question asked), hope the author doesn't mind I paste his response here:

Do TPM's benefits outweigh the risks?

It depends on your threat model. A TPM has multiple purposes, but the most common purpose is measured boot. That is, a TPM will verify the integrity of the BIOS, option ROMs, bootloader, and other sensitive boot components so that it is able to detect an evil maid attack or modified firmware. If your threat model includes an adversary which is able to modify firmware or software on your computer, a TPM can provide tamper-evidence to ensure that it will not go undetected.

So how does a TPM work? It's actually pretty simple when you get down to it. The TPM measures the hashes of various firmware components* and stores the hashes in registers called PCRs. If the hashes all match a known value, the TPM will unseal, allowing itself to be used to decrypt arbitrary data. What data it decrypts is up to you. Most commonly, it is part of the disk encryption key. Unless every piece of firmware and boot software has the correct hash, the TPM will not unseal and the encryption key will not be revealed. TPMs can be used for a lot more, but the idea is the same.

* Technically, the TPM is passive and cannot actively read firmware, bootloaders, or other data. Instead, a read-only component of the BIOS called the CRTM sends a hash of the BIOS to the TPM, starting the chain of trust. This component is read-only to ensure that a modified BIOS cannot lie to the TPM about its hash.

So is TPM worth it or is it just an unnecessary potential point of failure? Would my security and privacy be safer if I didn't use a computer with TPM at all? Full disk encryption with VeraCrypt sounds safe enough even for the most illegal use cases (NSA-proofed).

Remote attestation is not something you will likely need to use. It is however not at all unsafe. All it does is allow a remote device to prove to the appraiser that the firmware and software it is running matches a known-good hash. It does not allow remotely controlling the machine. It is up to the OS to do the remote connections and send the data to the TPM. The TPM itself isn't even aware that it is being used for remote attestation. In fact, remote doesn't even have to mean over a network. There are very clever implementations that use a TPM to remotely attest the computer's state to a secure USB device! There are no privacy issues with a TPM's unique private key either due to a TPM's ability to sign things anonymously using DAA, or Direct Anonymous Attestation.

Let's go even further and assume the TPM is not only useless, but downright malicious. What could it do then? Well, nothing really. It lacks the ability to send the so-called LDRQ# signal over the LPC bus which is necessary to perform a DMA attack. The only thing it could do is say "everything is OK" when in reality the firmware has been tampered with. In other words, the worst a malicious TPM could do is pretend it doesn't exist, making a malicious TPM no worse than no TPM.

It is completely possible to safely remove the TPM from the motherboard. There is nothing that requires it be there. If it is not present, you will simply not be able to verify a chain of trust to be sure that firmware has not been tampered with. Note however that many modern CPUs have an integrated TPM, but it can be easily disabled, with the same results as removing the physical one. Note that some newer versions of Windows do require a TPM's presence in order to secure the boot process. If the TPM is removed, you may need to modify the OS and UEFI settings so it no longer requires it.

In the section on the bottom, it mentions some criticisms of TPM such as remote validation of software - manufacturer, not the user decides what can be run on the computer. This sounds scary.

The worry is that, in the future, manufacturers might use the TPM to prevent you from making sensitive modifications to your system. By default, TPMs will obey only its owner. If you tell a TPM that the current state of the system is known-good, it will always check to make sure the system is in that state. If an evil manufacturer sets the TPM to believe that a known-good state is one where malicious DRM and other rights-restricting software is enabled, then we have a problem. For current TPMs, it's entirely up to you to decide what software you want to run! They don't restrict your rights.

Another criticism is that it may be used to prove to remote websites that you are running the software they want you to run, or that you are using a device which is not fully under your control. The TPM can prove to the remote server that your system's firmware has not been tampered with, and if your system's firmware is designed to restrict your rights, then the TPM is proving that your rights are sufficiently curtailed and that you are allowed to watch that latest DRM-ridden video you wanted to see. Thankfully, TPMs are not currently being used to do this, but the technology is there.

The upshot is that a TPM can prove both to you locally, and to a remote server (with the OS handling the networking, of course) that your computer is in the correct state. What counts as "correct" hinges on whoever owns the TPM. If you own the TPM, then "correct" means without bootkits or other tampering. If some company owns the TPM, it means that the system's anti-piracy and DRM features are fully functional. For the TPMs in PCs you can buy today, you are the owner.

###

Once again, link to original question in StackExchange and reply by user Forest is HERE.

_________________
Jorge Coelho
Winstep Xtreme - Xtreme Power!
http://www.winstep.net - Winstep Software Technologies


Back to top
 Profile WWW 
 
 Post subject: Re: What REALLY is a TPM and why is Windows 11 demanding it?
PostPosted: Fri Apr 29, 2022 7:56 pm 
Offline
Global Moderator
Global Moderator

Joined: Sat Apr 07, 2018 7:19 pm
Posts: 2316
Location: Here, there, and everywhere
Yep, very interesting. The stuff of nightmares. I'd never run a system with an active TPM myself. No chance! Preferably I'd want it 'pulled' like a rotten tooth. ;)

_________________
nexter - so, what's next?

Just a volunteer Moderator, not connected to or affiliated with Winstep Software Technologies, and not an official part of customer service though I do try to help when and where I can if my scarce time permits


Back to top
 Profile  
 
 Post subject: Re: What REALLY is a TPM and why is Windows 11 demanding it?
PostPosted: Tue May 10, 2022 5:37 pm 
Offline
Site Admin
Site Admin
User avatar

Joined: Thu Feb 26, 2004 8:30 pm
Posts: 11927
On a related note (pardon the French in the title), this is pretty much it: :D


_________________
Jorge Coelho
Winstep Xtreme - Xtreme Power!
http://www.winstep.net - Winstep Software Technologies


Back to top
 Profile WWW 
 
 Post subject: Re: What REALLY is a TPM and why is Windows 11 demanding it?
PostPosted: Wed May 11, 2022 1:19 am 
Offline
Global Moderator
Global Moderator

Joined: Sat Apr 07, 2018 7:19 pm
Posts: 2316
Location: Here, there, and everywhere
winstep wrote:
On a related note (pardon the French in the title), this is pretty much it: :D


:lol: :lol: :lol:
Pity, cant see the video (blocked here in TOR), but yeah, like the sentiment. :D Indeed, MS can kiss *all* of my big scrawny hairy arse! :P

_________________
nexter - so, what's next?

Just a volunteer Moderator, not connected to or affiliated with Winstep Software Technologies, and not an official part of customer service though I do try to help when and where I can if my scarce time permits


Back to top
 Profile  
 
Post new topic Reply to topic Board index : Winstep Forums : Articles  [ 4 posts ]
Display posts from previous:  Sort by  

Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to: