Windows 11: microsoft explains tpm usage

by Posted on
Windows 11: Microsoft explains TPM usage

The previous pre-versions of windows 11 can only be installed on desktop pcs, notebooks and tablets, in which a trusted platform module (TPM) to TPM-2.0 specification is. The microsoft security expert david weston blows in a blog entry, for windows 11 the TPM 2.0 (or FTPM 2.0) uses. In essence, the TPM should be so-called "zero trust"-concepts measure.

Weston calls four functional areas. Accordingly, it’s all about a general strengthening of the safety and confidence of the windows platform. He mentions the already used in windows 10 virtualization-based security (VBS, virtualization based security) with the hypervisor-protected code integrity (HVCI, hypervisor-tapped code entry award) function. For VBS, a TPM is previously optional; according to microsoft documentation, the TPM key, which uses VBS for the seal, but better protect.

David weston also mentions secured-core pcs with strong protection against manipulation of firmware (UEFI BIOS). Come, as in the message "basic information about the trusted platform module TPM 2.0" explains a dynamic root of trust for measurement (DRTM), which uses the TPM PCR 17. Whether strongly protected PC firmware – for example, with functions such as bootguard – consequently also to the "requirements" for pcs with windows 11 logo, lets weston open.

"Hello" instead of passwords

Tpms should also enable the authentication without password with the functions of windows hello and windows hello for business. So far, TPMS can be integrated optionally in windows hello for business. The TPM usage of windows hello ware on windows 11 so new.

Finally, weston still mentions TPM support for the cloud function microsoft azure attestation. Thus, by cryptographic algorithms and hardware trust anchors (root of trust), such as a TPM evidenced evidence of the presence of certain protective functions and compliance with policies, for example, to exchange confidential and protective data. So it’s about functions for using confidential computing in trusted execution environment (TEES).

Reference to "pluton" and CET

Microsoft wants to use more hardware security features with windows 11 art. So the installation of the security controller "pluton" directly provided directly in processors and system-on-chip from AMD, intel and qualcomm, which also mentions weston.

Protecting against malware attacks with return or jump-oriented programming (ROP / JOP) microsoft has long been working on hardware-enforceed stack protection (such as a shadow stack), which in turn the control flow enforcement technology (CET) new AMD – and use intel processors or arm PAC. But that works independently of a TPM.

Windows 11 without TPM?

Whether microsoft for a windows 11 upgrade mandatory a TPM 2.0 will require, is unclear so far. Currently, there are outlook versions of windows 11, so no final installer. Tuftler have already found several ways as these pre-versions also on hardware without TPM 2.0 install.

Horen to the TPM 2.0 also the audio podcast bit noise, episode 2021/14.

Published by admin

Leave a Reply

Your email address will not be published. Required fields are marked *