TechMicrosoft's TPM message muddle: Clarifying Windows 11 demands

Microsoft's TPM message muddle: Clarifying Windows 11 demands

Recently, Microsoft has faced communication difficulties regarding the description of Windows 11 hardware requirements and the justification for the need for TPM. Various general statements have been made, even though the subject could be explained more simply, quickly, and accurately.

TPM 2.0 module
TPM 2.0 module
Images source: © Dobreprogramy | Kamil Dudek
Kamil J. Dudek

The best (though still somewhat chaotic and mixed) explanation of the need for TPM by Microsoft is a video from the MS Mechanics channel from over three years ago. This video provides examples of what types of attacks are blocked by using TPM. Unfortunately, it discusses several topics at once, including RDP, Secure Boot, DMA protection, and UEFI, which gives the impression that these subjects are more interconnected than they actually are.

However, this description is much better than what Microsoft prepared in December. The December explanation praised TPM with arguments such as compliance with ISO standards, "isolation of cryptographic processes and keys" (a semantic overreach), Windows Hello, BitLocker, and "preparation for future use in the age of AI." While the earlier explanation was chaotic, the recent one simply states that TPM is advantageous and, therefore, will be mandatory.

Why TPM?

To clearly explain the benefits of TPM, it's necessary to separately consider several related technologies. Even Windows itself, through the Windows Security window, presents these issues separately, indicating missing, partial, or full compliance with the new hardware security model. What does this compliance entail, or rather – what do we miss without it?

Without installation in UEFI mode (a new bootloader instead of the classic MBR), you will not get support for Secure Boot, which means the computer will not block attempts to load malicious software that starts even before drivers and antivirus load (such as the most aggressive rootkits and ransomware). Computers with UEFI have been available for about 12 years.

Hardware security

A suitably new UEFI version also allows for the activation of DMA protection, which can prevent malicious Thunderbolt devices from accessing memory directly and bypassing security measures. Thunderbolt devices with USB-C plugs were introduced in 2015. The presence of Thunderbolt ports nearly guarantees support for DMA protection.

Memory integrity protection (code integrity, HVCI) introduces mechanisms that prevent malicious software from operating on the system kernel, which theoretically has read/write rights to the memory where the kernel is loaded. CI forces drivers to adhere to strict memory management discipline. Platforms whose drivers comply with this discipline have only been developed since 2018.

HVCI, however, has additional requirements. Since the entire mechanism utilizes virtualization, it needs SLAT, IOMMU, UEFI 2.6, and Secure Boot. For cryptography, it also requires... TPM 2.0. Apart from HVCI, the demand for TPM 2.0 also arises from other functions.

Windows Next Generation Cryptographic Services (CNG) unlock private certificate keys using TPM. Windows also supports virtual smart cards stored as entries in the TPM. Hardware keys and biometrics used for authentication within Windows Hello for Business can also be secured with TPM.

BitLocker... somewhat

Finally, TPM is also used by BitLocker (although it only needs version 1.2). This applies even in a variant with a PIN. Detecting changes leads to locking the TPM and requires entering the BitLocker key, which prevents criminals from accessing the data. The idea behind Windows 11's stringent requirements is that it becomes impossible to fake the conditions that indicate a secure state (TPM) or extract security-sensitive information from memory (HVCI, DMA protection, Secure Boot).

All these mechanisms are optional. But they are not unnecessary – unless the computer is used solely for entertainment. If we are unconcerned about identity theft, the theft of our work and passwords, or undetectable spying, the “new” (i.e., introduced since 2012) security mechanisms are indeed unnecessary.

Even using a PC for gaming is not a sufficient excuse in the era of ubiquitous accounts and subscriptions. However, Microsoft is aware of the consequences of password leaks today and applies protective mechanisms even in laptops with the Home version of the system.

Not this era

The days when the only important password was email without two-factor authentication – whose takeover would have been just a temporary inconvenience – are simply over. Although Microsoft seems unable to communicate new needs in a marketing sense, its technical documentation dispels all doubts. Nonetheless, Windows 11 can operate without all these security features and remains installable even on sixteen-year-old Nehalem processors.

© Daily Wrap
·About us
·Terms of service
·Contact us
·Privacy policy
·

Downloading, reproduction, storage, or any other use of content available on this website—regardless of its nature and form of expression (in particular, but not limited to verbal, verbal-musical, musical, audiovisual, audio, textual, graphic, and the data and information contained therein, databases and the data contained therein) and its form (e.g., literary, journalistic, scientific, cartographic, computer programs, visual arts, photographic)—requires prior and explicit consent from Wirtualna Polska Media Spółka Akcyjna, headquartered in Warsaw, the owner of this website, regardless of the method of exploration and the technique used (manual or automated, including the use of machine learning or artificial intelligence programs). The above restriction does not apply solely to facilitate their search by internet search engines and uses within contractual relations or permitted use as specified by applicable law.Detailed information regarding this notice can be found  here.