Change tpm tcm state what is it. What is TPM and how to use it in Windows. TPM module management

Article:

From the editors of the VM Guru portal: This article by Andrey Lutsenko, a specialist in the field of information security, including virtual environments, tells us about the potential vulnerability of many software and hardware systems from workstations to server systems. In our opinion, the material is unique, interesting and relevant today for many environments that require increased attention to information security. We thank Andrey for providing valuable material. To contact the author, use the information in the " " section.

Using the Hyperdriver, you can control the operation protocols of various devices, and even control devices designed to protect computer systems that have special systems for protecting against illegal interference - not only TRM modules, but also various Smart Cards, all kinds of Tokens.

The demo version of the “Red Pill” hyperdriver in the device control option is modified, and specific handlers are attached to the virtualization platform that control the address spaces of the TRM module; when any software attempts to access these hardware resources, the hyperdriver registers these events in a dump, the dump can be viewed through the HyperAgent .

In addition to registering a hardware event, the address of the command is registered in the software module that performs this call to the hardware. Hyperagent allows you to view these program modules and, if necessary, save them in a file for further analysis.

The most common software tool that uses the TPM module to store encryption keys is Bitlocker, and it is the work of this program that is observed by the “Red Pill” hyperdriver in the screenshots below.

Protocol for Bitlocker operation with TRM module

Initially, Bitlocker (at the OS loading stage) uses BIOS functions to read disk encryption keys from the TRM module; the work is done through the address space of the input/output ports.
After loading the OS kernel, the operating system itself begins to work with the module using the 1.2 protocol, and information is exchanged through the MMIO address space.

TPM module activation protocol(click to expand picture)

The administration of the TPM module is also controlled by a special Windows service; for example, a protocol for initializing a clean TPM module and entering an activation key into it is registered. By analogy, you can simply read other encryption and activation keys from the TRM module, but these are only the keys that the TRM module exchanges with the OS. Keys that do not leave the TPM module can be read by registering a backup protocol of the TPM module contents to an external medium.

From the previous text it may seem that this topic is not relevant for our country, since TRM modules are prohibited for use, and other imported information security tools are used only for confidential data.

The basis of Russian information security are trusted download modules (TDZ) such as “Accord”, “Sobol”, etc. In addition, impenetrable methods of disconnecting local networks from external Internet access lines, according to the plans of the architects of information security systems, completely eliminate all risks of external penetration.

But, " OH THE HORROR", these impenetrable means of Russian engineering and administrative thought are easily bypassed by hyperdrivers and the protection is bursting at the seams (in fact, there has been no protection as such for a long time - there is only a multimillion-dollar business).

In addition, information security, as an institution of State policy, has turned into a complete fiction, in the framework of an old Russian proverb: “The severity of laws is compensated by the non-binding nature of their implementation.”

Specific example:

The use of cryptographic means and installations containing such means on the territory of Russia is possible only on the basis of a license (Decree of the President of the Russian Federation of April 3, 1995) or notification.

In this model, the manufacturer installs a TRM module on the board and delivers the laptop to Russia according to the notification procedure, informing that this device was disabled by the manufacturer at the production stage:

The CF-52 board contains a TPM module manufactured by Infineon SLB 9635 TT1.2

In this expensive and advanced laptop model, the TRM module can be made operational in the Operating System by simple manipulations with ACPI BIOS tables, as is demonstrated below.

From the above slides it is clear that the importer lied in his notification, and the controlling State Authorities “fooled”.

Moreover, allowing the import of supposedly disabled TPM modules is a serious threat to the country’s information security, since these supposedly “disabled” TPM modules are used by remote control systems for computing installations from a laptop to a server inclusive. In remote control systems, they are responsible for allowing the remote node to gain control of the computing installation.

But enough about the sad things, there is an area in which hardware virtualization technology can seriously help. In fact, if you don’t put an end to viruses, then you can seriously complicate their lives (namely with viruses and not with Trojans and other rubbish that exploit the stupidity and incompetence of the user).

A description of the hyperdriver for solving this noble anti-virus task will be given in the next article.

According to the Japanese company Trend Micro, in 2002, malware caused a loss of $378 million. In 2004, 37.8 million infected computers were counted, 8% more than in 2003. Judging by monthly statistics, this year we are again The number of infected computers is expected to increase, but the growth rate will be less than in previous years, mainly due to countermeasures. For IT managers and administrators, the conclusion is logical: they must prevent the intrusion of a virus, as well as the execution of foreign code or parts of a program.

In any case, this approach should be distinguished from conventional security measures such as virus scanners, firewalls and demilitarized zones (DMZs). A fairly large number of software providers offer a wide range of security products, but the results are still far from satisfactory. And the main reason for this can be considered that none of the listed concepts has so far considered both the software and hardware sides of the problem. The Trusted Computing Group is set to change that with the release of Trusted Platform Module (TPM) solutions.

Increasing number of infected computers (source: Trend Micro, Inc.).

TCPA/TCG developments

The Trusted Computing Platform Alliance (TCPA) was founded in 1999. At that time, important players in the hardware and software industry like HP, IBM, Microsoft and others participated in it. Unfortunately, the TCPA was not successful because of its structure: any of the two hundred members had the right to delay or overturn any decision. And reaching a compromise in some areas can be very difficult.

That's why in April 2004, TCPA was transformed into a new consortium called Trusted Computing Group (TCG). In a new organization, only a few companies (called "promoters") can make decisions. Today these include AMD, Hewlett-Packard, IBM, Intel, Microsoft, Seagate, Sony, Sun and Verisign. The remaining members, numbering almost a thousand, were called "contributors" or "adopters". They participate in draft specifications or simply get early access to various new developments.

Among the results of TCPA/TCG activities is the Trusted Platform Module (TPM), formerly called the Fritz Chip. Fritz Hollings is a US senator known for his enthusiastic support for digital rights management (DRM).

The TPM is typically implemented as a chip on the motherboard that is integrated into the system boot process. When you turn on the computer, it checks the system status (trusted).

Goals of the Trusted Computing Group

One of the goals of the TCG was to create a "safe computer" in which hardware, software, and all communication processes are verified and protected. The word “communication” here should be understood in a general sense, since it also includes interactions between different parts of the software. Below are the main tasks assigned by the TCG.

• Data security.
  Data can only be read by authorized users. Data transmission to and from the computer must be secure. Personal data should not be disclosed.
• Data safety.
  Hardware and software must ensure reliable operation of data.
• Data integrity.
  Software and data must not be changed without notice (for example, by viruses or worms).
• Data authenticity.
  It must be possible to verify the authorship of the recipient and sender, as well as the data service (through the "assignment" process). Each TPM chip can be clearly identified, so it is clearly associated with the system.

Of course, the capabilities of a trusted platform are not limited to one computer - all modern types of communication can be added here. TCG's vision covers mobile phones and PDAs, as well as input devices, storage devices and certificates. Security devices such as a fingerprint or iris reader can be used as TPM extensions. Development efforts in these areas fell on the shoulders of subgroups of the TCG. One of these subgroups is TNC (Trusted Network Connect), which works on the security of network connections.

It is worth noting a technical issue that is often confused with the concept of trusted computers - DRM. Note that the purpose of DRM is to prevent unauthorized copying of digital information - films, music, text, etc.

Of course, trusted computer technology provides the technical basis for such thoughts. But so far no one has decided to explicitly implement copyright protection for digital information. This may be due to the harsh criticism that Microsoft received for the Palladium platform. It was rethought by Microsoft and now exists under the name "Next Generation Secure Computing Base" (NGSCB). But before us is nothing more than an old filling in a new wrapper...

Steps in the development of security concepts (source: Intel).

Modern developments clearly show the development of security measures. At the very beginning, the solutions were purely software. Then isolated applications appeared with their own hardware - the same smart cards for working in banking programs.

The next step was the rough outline of TP modules, which in their modern form represent solutions like the “Fritz chip”. The first hardware manufacturer to adopt Trusted Computing was IBM: the ThinkPad T23 laptop was equipped with a TP module from Infineon.

The first step beyond the initial TPM concept was the introduction of technology called Execute Disable Bit (XD) by Intel, Non Execute (NX) by AMD, and Data Execution Protection (DEP) by Microsoft. This technology combats buffer overflow attacks by dividing memory into areas from which code can be executed and from which execution is prohibited. However, this feature must be supported by the processor, operating system, and applications. Among operating systems, the function is supported by Microsoft Windows Server 2003 SP1, Microsoft Windows XP SP2, Windows XP Professional x64, SUSE Linux 9.2 and Enterprise Linux 3 update 3.

Scheme of operation of the TCG system.

TPM modules (current version 1.2) provide a so-called hash for the system using the SHA1 (Secure Hash Algorithm) algorithm. The hash value is obtained from information received from all key components like the video card and processor, combined with software elements (the operating system, among other things).

The computer will only start in an authorized condition when the TPM receives the correct hash value. In the verified state, the operating system has access to the encrypted root key, which is required to run applications and access data protected by the TPM system. If an incorrect hash value was received during boot, the system is considered untrusted and only regular, free files and programs will work on it.

Today's Trusted Platform Module (TPM) manufacturers include Infineon, National Semiconductor (although its TPM division was recently sold to Winbond), and Atmel. In addition, there are chips with TPM integration from Phoenix/Award, processors from Transmeta and network controllers from Broadcom, which are used by Hewlett-Packard. Seagate has announced its decision to release hard drive controllers with integrated TPM functionality.

In the area of ​​programs that use installed TPMs, Wave Systems offers the Embassy Security Center environment, the complete Embassy Trust Suite (document management, digital signatures) and the CSP Toolkit (Cryptographic Service Provider) for Windows programmers. IBM offers the ThinkVantage package (primarily with its Thinkpad laptops that support TPM), and Ultimaco supplies the SafeGuard Easy data encoding program. Checkpoint sells a suite of products for a range of IT infrastructure tasks, and Adobe offers Acrobat version 6, which allows you to work with PDF files through TPM.

However, today there are spin-off technologies and improvements whose safety characteristics are implemented even more strictly. Examples include Intel LaGrande technology, ARM TrustZone, and a new product for 2006 - AMD Presidio. A separate operating system security kernel (Nexus in the case of Microsoft Vista) links the TP module and the security components of trusted applications. With this support, the user can verify that all hardware components are TCG authorized, installed applications are signed, and none of the components have an incorrect signature/serial number.

If changes to the hardware configuration are identified, TPM can re-certify the new components online. The operating system with the Nexus Security Engine runs in memory areas protected by the processor (remember, Data Execution Protection), and trusted application data cannot be changed from outside.

The current version 1.2 of TPM has some nice features. "Direct Anonymous Attestation" (DAA) provides improved communication with other trusted clients. "Locality" introduces different levels of TPM security. "Delegation" differentiates the security characteristics of different users. "NV Storage" provides better use of non-volatile media. "Transport protection" improves data transfer to non-TPM systems, and "Monotonic Counters" monitors every step of your work to prevent so-called "replay" attacks.

Technology comparison with Intel AMT

We need to talk at least briefly about Intel Active Management Technology (iAMT). Intel approaches the topic of platforms with a complete management package that addresses administration and security concerns. With the slogan “Discover, Heal and Protect,” iAMT technology should hit the spot. Intel provides centralized management that locates computers regardless of their state and operating system, reducing time to troubleshoot and making it easier to manage computer malware protection. The most powerful product today is the Intel D945GNT motherboard in the ATX form factor, which combines TC and iAMT capabilities.

Risks, hazards and consequences of TPM

With each release of more advanced security technology, you can expect a torrent of criticism and skepticism from people who are ready to challenge any improvements. But what are the risks and dangers really?

Most visible today are the efforts of the music and video industries to force all computer users to submit to the DRM paradigm. As soon as most computer components support TPM, and the operating system (like Windows Vista) can work effectively with TPM, full tracking of stored data by copyright owners is possible.

The "first sign" is Microsoft's attempt to force Media Player to perform DRM updates without the user's knowledge. As a result, the question arises: what data on a computer can be considered legal, and what to do with all this? If you look towards countries such as Cuba or North Korea, then there is a danger in the form of new censorship opportunities. For example, hardware protection can allow the display of text and pictures that have been verified by the censor of a given country.

Agree, all this leaves a not very good aftertaste for users, reminiscent of a “black box”. Indeed, by constantly monitoring all computer procedures, you can easily obtain all the necessary information about the user and his work.

Systems with TPM

We received a pre-production sample of the HP Compaq DC7600 for testing. Unfortunately, other than the TP chip itself, the components in the computer are not ready for the TPM concept. HP/Altiris administrative software is far from complete, and HP does not ship any other TPM software or even encode hard drive partitions. Additionally, the current Windows XP, even the newest x64 version, cannot take full advantage of the TPM or encoding features. So the entire description of the possible functions of a computer's TPM is based on HP/Compaq information.

The HP board uses the MicroATX form factor, and can be expanded via a daughterboard with two additional PCI slots.

The HP Compaq DC7600 features one of the first HP motherboards to support TPM. The 7x00 line consists of computers with TP module version 1.2, and they are also available in the form of “configure-to-order”. At the same time, HP has integrated not only a single TPM chip, but also a Broadcom NetXTreme BCM5752 gigabit controller that meets the latest trusted computing specifications. According to information on the Internet, activation of the TC chip functions costs the manufacturer $10.

To manage TPM, HP adds another layer of protection called "ProtectTools." It is used by the Altiris "HP Client Manager" program, which is also suitable for hardware administration. At this stage of development, ProtectTools provides only two functions: protecting identification information during user login, and encrypting hard drives. Of course, each TPM in HP Compaq computers can be clearly identified.

Among the most important features of the TPM concept, HP Compaq highlights the following:

• built-in HP Tools protection provides root encoding;
• “virtual smart cards” (Virtual Smart Card) improve the performance of conventional smart cards (SmartCard and Token ID);
• expansion of other security tools such as smart cards, fingerprint readers;
• built-in wireless network encryption, as well as data and data integrity protection (anti-spoofing);
• encoding files and folders;
• mail encryption (keys supplied by TPM);
• access and rights management in networks;
• protection against hacker attacks (system attacks, DOS/network attacks);
• secure user login, “global” user authentication.

Broadcom's latest gigabit chip supports TPM.

DC7600 open case.

The target audience for the HP Compaq 7x00 line of computers - in fact, like the concept of trusted computers - are networks of medium and large-level companies. These networks will benefit greatly from centralized management features, as well as the enhanced security and safety features of TPM. Today, HP sells its line of computers in three versions: ultra-thin desktop, desktop and tower.

We've got a mini-tower that can also be laid on its side thanks to the rubber feet on the right side of the body. The case, apart from the cheap plastic front panel, is of high build quality, which is why it is heavy. Many details are well thought out: for example, the housing door can be opened quickly. In the same way, CD/DVD drives and hard drives are installed without screwing. If you need to add a new drive, you attach the guides to it and insert it into the bay.

The case offers enough space for two additional 5.25" drives, one 3.5" drive and a floppy drive. The power supply with active cooling produces a maximum of 345 W.

In addition to the TPM expansion, we have a typical motherboard on the 945 chipset with built-in video (Intel GMA950) and sound (AC97). The existing ports are generally consistent with a typical office computer. At the back are six USB 2.0 ports and a gigabit Ethernet interface, while at the front are two USB 2.0 ports with audio in and out. You won't find any FireWire ports, DVI out, or S-Video.

Rear and front views of the case.

You will find these ports on the front and rear panels.

Four PCI slots. Between them you can see a connector with which an expansion card is connected to the motherboard.

In smaller form factor cases, HP uses the exact same MicroATX motherboard. And in large cases (like ours), a daughter board is connected to it, providing additional PCI slots. The board itself has two 32-bit PCI slots, but they can be expanded with two more using the aforementioned daughterboard.

IBM has been introducing solutions with built-in TPM for some time now. With the introduction of the T23 ThinkPad notebooks, passwords and keys can be stored securely, data can be encrypted locally, and VPNs can be accessed with better security.

Today, more and more computers are equipped with TP modules, and the user is often unaware of it. When we received the Dell X1 laptop into the lab, we found that it was equipped with the same Broadcom BCM5752m network controller with TPM support.

Conclusion

The concept of Trusted Computing is a mature technology approach that provides smart solutions to many, although not all, security risks. The concept offers more convenient and powerful solutions than other approaches.

The additional cost of equipping hardware components is small, and, especially in a corporate environment with a large IT infrastructure, TPM can bring significant benefits. Processors that support trusted computing should appear in the near future. LaGrande (Intel) and Presidio (AMD) technologies are technically similar, allowing the implementation of a “secure” system kernel. In addition, the processors support additional unprotected system partitions, which will work well in combination with Vanderpool and Pacifica (Intel/AMD) technologies.

We have no doubts about the success of TPM platforms. The risks associated with new technology (in fact, like any other) exist only in connection with the misuse of its potential, which is fueled by aggressive statements by some politicians associated with the enormous influence of the music and film industries. Unfortunately, HP/Compaq was unable to provide us with even a beta version of the software, preventing us from taking a closer look at the potential of TPM.

Until trusted computing becomes a reality in enterprises, TPM-enabled components will remain in a state of hibernation. With the release of Windows Vista, we will once again return to TPM technology, and this time - more closely.

Philosophers of the past loved to talk about freedom. “Those who are willing to give up their liberty to gain a short-lived protection from danger deserve neither liberty nor safety,” argued Benjamin Franklin. “A person cannot be either a slave or free. He is either free - or he is not at all,” Jean-Paul Sartre categorically stated. “Freedom is a conscious necessity,” Marxists quoted Benedict Spinoza.

What is freedom? Is it important for a person to be free, and is he ready to exchange freedom for security? A reason that was not noticed by the general public prompted me to think about this topic. This summer, the JTC1 Technical Committee voted to approve, in a simplified manner provided for by the PAS procedure, a new version of the ISO/IEC 11889:2015 standard, which was presented by the Trusted Computing Group (TCG) consortium, founded by the American companies AMD, Cisco, HP, IBM, Intel , Microsoft and Wave Systems. And on June 29 in Portland, Oregon, TCG announced that its Trusted Platform Module (TPM) 2.0 standard has been finally approved as international.

Benefits of TPM

TPM is the name of a specification that describes a crypto module that stores cryptographic keys to protect information. It can be put more simply: this is an information security module that can be installed in servers, personal computers, network and mobile devices. It supports remote attestation, allowing communication between computer hardware and software.

The module is convenient for copyright holders, as it allows you to check the licensing of software and control illegal copying of music, films or computer games. It uniquely identifies the computer and allows user authentication. At the same time, TPM makes it possible to generate keys, has hashing functions, and generates random numbers.

The hardware capabilities of TPM are very limited in power and do not allow you to directly encrypt large amounts of data at high speed. The function of bulk encryption of files on disks can be performed by the Windows Bitlocker program. At the same time, the crypto keys used are themselves encrypted using TPM, which eliminates the possibility of their theft.

Thus, TPM, in conjunction with Windows Bitlocker, can encrypt a disk, protect data in case of loss or theft of a computer, software from modification and infection by viruses, as well as banking and email programs.

The module is able to confirm the authenticity of the computer and even its functionality even before gaining access to the network. Overall, it significantly increases the security of users, especially those who have little knowledge of information security issues and cannot solve them on their own.

Indeed, TPM is an important and useful thing. Significantly increases user safety. But the question of the price of security arises. If a person installs a webcam in his home, he increases the security of his home. He can remotely monitor the apartment all the time and call the police if thieves appear. But if the ability to control the webcam is intercepted, then it can turn from a security device into a surveillance device. The collected information about a person is, accordingly, used as a means of control and management. And his apartment itself turns into a cell, though more like a prison cell.

Germany's position

The result of the ISO/IEC JTC1 Technical Committee vote was predictable. Only Germany voted against. Russia abstained, however, its vote “against” would not have decided anything anyway. The majority supported the American position. An unprecedented action did not help either - sending out a closed letter to committee members from official representatives of the Federal Ministry of the Interior and the Federal Ministry of Economics and Energy of the Federal Republic of Germany with a request to “bury” the project. Information about this document leaked to the German press and caused a lot of noise.

At the state level, the existence of such a letter was denied by the German authorities, however, what else in this case can be expected from the official authorities. In the text of the German letter, available to the editors and the authenticity of which we have no reason to doubt, it is written that “... the specifications presented in the draft standard are not sufficiently developed to make a decision; in particular, as a result of careful consideration of the issue, we have reason to believe that their implementation may significantly degrade the ability to manage the protected ICT system, and also potentially lead to situations of complete blocking of the system, carried out in the interests of some manufacturers of computer equipment. In addition, we believe that the potential impact of the proposed specifications on privacy and IT security may be highly problematic and are concerned that this would conflict with relevant German law.”

At the same time, German information security specialists did not oppose TPM in principle. They were satisfied with the previous TPM 1.2 standard, in which the user retained full control over his platform. The TPM module could simply be disabled. In the TPM 2.0 standard this will no longer work.

In addition, they were concerned about the very approach to developing the standard, in which only American companies participated. Zeit journalists reported that the German government tried to take part in the development of TPM 2.0, but was refused. They also pointed to the active cooperation of the standard developers with the US NSA and provided assessments of the security of TPM 2.0 by independent experts. The publication warned that TPM can be considered a backdoor and there is a high probability that the NSA has access to cryptographic keys.

Vents and windows

Experts from the German Federal Office for Information Technology Security (BSI) were alarmed that with the transition to the TPM 2.0 specification, this standard becomes mandatory for all devices running Windows 8.1 and higher, and this function cannot be deactivated.

In fact, a computer with TPM 2.0 cannot be considered a device under complete control of the user. Concerns have been raised that Windows 8 with TPM 2.0 could allow Microsoft to control the computer remotely through a built-in backdoor.

Chinese experts also read about the German warning. They researched the problem, figured out the details and made a decision. In May 2014, the Chinese government agency Xinhua reported that it had banned the installation of Windows 8 on government computers. And these are most likely computers that belong not only to the state, but also to those structures that are controlled by the state - the largest banks, information security companies, telecoms, as well as other companies that want to follow the recommendations of their government.

Another internal BSI document obtained by the German publication states: "Windows 7 can be managed securely until 2020. After that, other solutions must be found for the administration of IT systems." And on the BSI website it is directly written that the mechanism of Windows 8 with TPM 2.0 “can be used for sabotage by third parties” and that experts consider the use of the new version of TPM unacceptable by government organizations and critical infrastructure facilities. So, it seems that the Germans and Chinese will not rush to upgrade Windows 7 in the public sector even to Windows 8.

Russia's position

To find out Russia's position, we turned to experts - members of the ISO/IEC JTC1 Technical Committee, the Russian companies Aquarius and Craftway, and Microsoft with a request to comment on the seriousness of the concerns of Germany and China regarding the new standard.

Unfortunately, the experts either ignored our questions or stated that they refused to answer them. The only specialist who agreed to an interview was an independent expert on cybersecurity in automated control systems Vadim Podolny.

What is good and what is dangerous about TPM?

TPM, whether it is the currently most common TPM 1.2 or the increasingly implemented TPM 2.0, is a technology standard promoted by large American companies. Essentially, TPM is a separate module that is integrated into computers.

Now, in addition to PCs, servers, terminals, and network routers, we have many new components connected to the network. These are controllers for industrial automation, Internet of Things devices, devices that are responsible for human health - pacemakers, glucometers built into watches... Due to the intervention of a hacker, they can trigger falsely or, conversely, fail to trigger falsely. TPM trust modules solve an important problem - trust in data, trust in the system, confirming that it will work correctly.

The TPM idea is correct. There should be standard modules that ensure the legal significance of the information. The concept itself is this: to make a module that is difficult for hackers to make and which only a large state can make. It's like a banknote, a method of protecting money. There's nothing wrong with that.

The question is different. Windows 7 had a My Computer icon. In Windows 10 it's called "This PC". This is no longer your computer. Technologies are being imposed on us that will ensure our safety, whether we want it or not. It seems like the state introduces prohibition and says that now you will not drink alcohol, since society needs healthy soldiers. So it is here.

If your computer is captured, it means that someone needs it for something. Perhaps to keep an eye on you. If you cannot disable this functionality, then it is not a security feature. It is a passive means of attack. Gathering information is finding a point to attack. Microsoft is taking away your computer for your money. It sells you its operating system and takes control away from you.

Is it possible to check whether a TPM module has a backdoor or not?

You can analyze the standard. But when a computer comes to you with a TPM module soldered into its motherboard that was not manufactured in a company you control, you don’t know what’s inside. They can add anything there.

But can you add a bookmark to any processor or controller?

Yes, sure. And the approach should be the same. In military systems, regulators will never allow the use of a chip made by someone unknown, even according to an open standard. That’s why we have “Baikal” and “Elbrus” processors. Russia's engineering forces are sufficient to design its own TPM. We cannot make it in our factories yet. So is the processor. But we can design, and then check whether they did it the way we needed it, or whether something was added there. Such a mechanism will already allow the use of TPM.

What should we do now that we don’t have our own TPM?

The commonly used analogues of TPM, which largely fulfill its role, are hardware trusted boot modules. They are used even now that TPMs have appeared on motherboards.

It has also become possible to modify the BIOS, and UEFI technology has appeared, a standard that allows you to create trusted boot modules programmatically. In fact, they can host programs that emulate the operation of TPM, which is what is done in many developments. For example, in the seOS operating system, certified by the FSB.

What about the Russian TPM module?

We still have companies in Russia that order motherboards for their projects. For example, Aquarius, Craftway, T-Platforms, MCST and others. Each of them is quite capable of designing its own TPM module. And it will probably be created in the near future, with support for domestic GOST-certified cryptographic algorithms. And this is important not only for defense enterprises, but also for a wide range of consumers who are obliged to comply with the provisions of Law 152-FZ “On Personal Data”.

Why did the Germans oppose the TPM 2.0 standard so sharply?

Very simple. They want to protect their data and technology from the US. Remember when SUSE Linux came into being? This happened after it became clear that when documents were transferred from one Bundeswehr department to another, the information first ended up in the NSA. Then SUSE Linux was created in Germany and the department was transferred to work with this OS.

In Linux, starting with kernel 3.2, support for TPM 2.0 was also announced. But it can be turned off. But in Windows OS you can’t go higher than eight. Windows is a very user-friendly operating system. It's wonderfully thought out. Tens of thousands of programmers work to make it convenient and comfortable for users. But any change that is forced on you, saying that it is for your safety, is annoying. And specialists, and officials, and governments.

In order not to be afraid of TPM, you need to do special research, conduct a check and find out whether there is anything dangerous there or not. This is a completely standard procedure. Sometimes it is performed on-site at the production site. This is a normal practice when representatives of a country come to the country of the manufacturer and sit in production for some time, understanding the processes.

And who will do this?

This may be of interest to large commercial companies. I think some research work in this format is already underway. But the state is not immediately interested in this, since our cryptography is not there, so the existing modules are not suitable for the defense industries.

Is it possible to use computers with TPM in government agencies?

The issue of using TPM in government agencies is quite complex. I think that in the next editions of TPM it will be possible to replace crypto algorithms. You can now flash the BIOS again and add your own components. This will be the case in TPM. As for current use in the public sector, it’s too early to talk about it. But you need to research the possibility of your own implementation of the standard. It is also necessary to participate in the development of its next version. To be able to embed our cryptography into someone else's TPM.

... In general, the position is clear. TPM is a new level in security. The state will somehow resolve the issue in the defense industry, and the rest will use what they have. In most cases, TPM will protect you from wild hackers (in those matters of protection that TPM provides), but you still can’t escape the attention of Big Brother.

The consortium itself, which started as a purely American project, is expanding. Currently, TCG has 11 Promoter members (AMD, Cisco, Fujitsu, HP, IBM, Infenion, Intel, Juniper, Lenovo, Microsoft and Wave Systems) and 74 Contributor members. Japanese and Chinese companies appeared on these lists. But there are still no Russian representatives there.

Freedom or security? The times of the existentialists Sartre and Camus, who chose the “roads of freedom” and studied a free person standing on the brink of “nothing,” are a thing of the past along with the past century. Most people chose safety. And now he’s only arguing about the length of the leash. So for the mass user the TPM problem does not exist. But the state should not be indifferent to the question of whose leash its government agencies are on. And its citizens too.

A trusted platform module, or TPM (trusted platform module), is a separate microchip on a computer's motherboard that performs a specific range of tasks related to cryptography and computer security.

For example, using the TPM cryptoprocessor you can encrypt a computer hard drive. Of course, the central processor can do this, but then it will have to perform more tasks, and the encryption and decryption speed will be much lower. Hardware-based encryption in the TPM occurs with virtually no performance loss.

Decryption is sometimes incorrectly called deciphering. The difference between them is that when decrypting, you know the algorithm and secret key with which the data is encrypted, but when decrypting, you do not.

TPM can also protect credentials and verify programs running on the system. Prevents infection by rootkits and bootkits (types of malware that penetrate a computer before the operating system boots or hide its presence in the system and therefore cannot be recognized by the system), ensuring that the computer's configuration is not changed without the user's knowledge.

In addition, each TPM cryptographic module has a unique identifier that is written directly into the chip and cannot be changed. Therefore, the cryptochip can be used for authentication when accessing a network or any application.

TPM can generate strong encryption keys when required by the operating system (OS).

But before you can use the TPM, it needs to be configured. Setting up the module comes down to a few simple steps.

• First, the chip must be activated in the computer's BIOS (if it is not activated).
• Secondly, you need to become its owner at the operating system level.

Let's look at these steps in more detail.

1 Enabling the TPM in the computer BIOS

To enable the module, go to the BIOS and go to the security section. Although the BIOS can vary significantly from computer to computer, as a rule, the section with security settings is called "Security". There should be an option in this section called "Security Chip".

The module can be in three states:

• Disabled.
• Enabled and not activated (Inactive).
• Enabled and enabled (Active).

In the first case, it will not be visible in the operating system, in the second, it will be visible, but the system will not use it, and in the third, the chip is visible and will be used by the system. Set the status to "active".

You can also clear old keys generated by the chip in the settings.

Clearing the TPM can come in handy if you want to sell your computer, for example. Please note that if you erase the keys, you will not be able to recover the data encrypted by these keys (unless, of course, you encrypt your hard drive).

Now save the changes ("Save and Exit" or F10 key) and restart the computer.

After your computer boots, open Device Manager and make sure that the trusted module appears in the list of devices. It should be in the "Security Devices" section.

2 Initializing the TPM on Windows

All that remains is to initialize the chip in the operating system. To do this, you need to open the TPM module management snap-in. Click the buttons Windows+R(the “Run” window will open), enter tpm.msc in the input field and press “Enter”. The snap-in will start "Managing the Trusted Platform Module (TPM) on the local computer".

Here, by the way, you can read additional information - what TPM is, when you need to turn it on and off, change the password, etc.. A good series of articles dedicated to TPM is on the Microsoft website.

On the right side of the snap-in there is an action menu. Click "Initialize TPM...". If this option is not active, then your chip has already been initialized. If it was not initialized by you, and you do not know the owner’s password, then it is advisable to reset and clear the module’s memory, as described in the previous paragraph.

When the TPM Initialization Wizard starts, it will prompt you to create a password. Select the Automatically generate password option.

The TPM initialization program will generate a password. Save it as a file or print it. Now click the “Initialize” button and wait a bit.

Upon completion, the program will report successful module initialization. After initialization is complete, all further actions with the module - disabling, cleaning, data recovery in case of failures, resetting the lock - will only be possible using the password that you just received.

Now the initialization action has become inactive, but it is now possible to disable the TPM, change the owner password and reset the module lock if this happens (the module locks itself to prevent fraud or attack).

Actually, this is where the management capabilities of the TPM module end. All further operations that will require the capabilities of the chip will occur automatically - transparent to the operating system and invisible to you. All this must be implemented in software. More recent operating systems, such as Windows 8 and Windows 10, use TPM capabilities more widely than older operating systems.

Hello everyone Today we will talk about the Trusted Platform Module, we will find out that this is game. It’s a little complicated, but I realized that the Trusted Platform Module (TPM) is a module that is located on the motherboard and stores cryptographic keys to protect information. There is version 1.0, and a more advanced modern 2.0

There is also version TPM 1.2, it was released on March 3, 2011. That is, we can conclude that the technology is not so new, but has been around for a long time

As I understand it, the Trusted Platform Module is used in encryption algorithms, making them even more secure.

The trick is that the TPM module can help encrypt and decrypt. But to decrypt, you need cryptographic keys. And these keys are stored in the chip itself. This is such a complex technology

Yeah! There is also this - the module is capable of not only creating these keys, but also binding them to the equipment. Do you understand? And it can only be decrypted if the computer configuration that was in place during encryption matches the one it has now... in short, seriously

The chip also takes part in the operation of BitLocker Drive Encryption technology (encrypting the contents of PC drives).

I found a strange picture... TPM is mentioned here, but it’s difficult to understand what the kitchen stove has to do with it:

What does this all mean and who is behind it?

Chip appearance

Here is His Majesty the TPM chip itself (separately, not on the motherboard):

Hmm, I wonder if it’s possible to buy a new one.. and replace it? Well, for example, if the old one broke down there, burned out... and looking at this picture, it seems that you can still buy it:

Well what can I say here? Cool in general But if you buy a new chip, will it be possible to decrypt the data that was encrypted with the old chip? But this is an unrealistically serious question!

Here is the actual chip on the motherboard:

Judging by its appearance and design, it’s possible to replace it at home, so to speak.

Option in BIOS TPM Device

Well, here is the Trusted Platform Module option in the BIOS - you can turn it on (Enabled) or turn it off (Disabled):

The name may also be TPM Device or.. TPM Embedded Security (sorry for the quality, gentlemen):

There may also be a Discrete TPM FW Switch option in the BIOS (Security section):

I found out that Discrete TPM FW Switch is a discrete chip control. Discrete, that is, this is the chip that can be changed, removable, so to speak. Then a thought occurred to me - could there be two TPM chips on the motherboard? Integrated vs. Discrete? And now they are managed in the BIOS... I don’t know, in short...

Another example is the TPM SUPPORT, TPM State, Pending TPM operation options:

Conclusion - the options depend on the motherboard. If the TPM chip is enabled in the BIOS, then in your device manager (to run - Win + R > devmgmt.msc) there will be such a device in the Security devices section:

As you can see, the version is indicated opposite the device - above in the picture the outdated 1.2, but you may have a modern 2.0 (depending on the year of manufacture of the motherboard). Yes, stopachki! If the chip version is outdated, is it really possible to replace the old chip with a new one? Just thoughts, but I think that a replacement is quite possible..

Also in the System devices section there may be Infineon Trusted Platform Module:

Some conclusions and my thoughts about the Trusted Platform Module

I’ll write what I think about this to everyone, okay? See:

Trusted Platform Module Settings

I found out purely by chance that it turns out that Windows has Trusted Platform Module settings, and I didn’t even know it! How to open settings? Press the Win + R buttons, then paste the command:

I opened an error here and it says that a compatible trusted platform module cannot be found:

Damn, this is a concrete hitch. I just thought it was a module.. no, well, I probably have a module! But it is apparently not enabled in the BIOS. Well, okay... And look at your place, what will you have there? Well, will there be settings? Take a look, okay?

And one more thing - there you can clear TPM data in the settings. I hope you understand that you don’t need to do this if you are not good at it. Go find out what kind of data is there. Or maybe you have something encrypted on your PC and if you clear the data, you won’t be able to decrypt it later. In general - I warned you

For TPM to work properly, you need to have a special update installed in Windows. It seems to be able to install automatically. And if not, then you need to download it from your motherboard manufacturer’s website. Here, simply by update, as I understand it, we mean the TPM driver, because Windows and firewood can install, pulling them from the Internet..

That's it. Good luck and patience, see you again, gentlemen!