According to the Japanese company Trend Micro, in 2002 malware caused a loss of $ 378 million. In 2004, 37.8 million infected computers were counted, an 8% increase over 2003. Judging by monthly statistics, this year we are again an increase in the number of infected computers is expected, but the growth rate will be lower than in previous years, mainly due to countermeasures. For IT managers and administrators, the conclusion is logical: they must prevent the invasion of a virus, as well as the execution of extraneous code or parts of the program.

In any case, this approach should be distinguished from common security measures such as virus scanners, firewalls, and demilitarized zones (DMZs). Quite a number of software vendors offer a wide range of security products, but the result is far from satisfactory. And the main reason for this can be considered that none of the listed concepts have yet considered both the software and hardware side of the problem. The Trusted Computing Group aims to change this situation with the release of Trusted Platform Module (TPM) solutions.

Increased number of infected computers (source: Trend Micro, Inc.).

TCPA / TCG developments

The Trusted Computing Platform Alliance (TCPA) was founded in 1999. At the time, it was attended by important players in the hardware and software industry like HP, IBM, Microsoft and others. Unfortunately, the TCPA was not successful because of the structure: any of the two hundred members had the right to postpone or reverse any decision. And it can be very difficult to reach a compromise in some areas.

That is why, in April 2004, TCPA was transformed into a new consortium called the Trusted Computing Group (TCG). In the new organization, only a few companies (called "promoters") can make a decision. Today these include AMD, Hewlett-Packard, IBM, Intel, Microsoft, Seagate, Sony, Sun, and Verisign. The remaining members, nearly a thousand in number, were named "contributors" or "adopters". They participate in the work on draft specifications or simply get early access to various new developments.

Among the outputs of TCPA / TCG is the "Trusted Platform Module" (TPM), formerly called the "Fritz Chip". Fritz Hollings is an American Senator known for his passionate support for digital rights management (DRM).

TPM is usually implemented as a chip on the motherboard that integrates into the system boot process. When the computer is turned on, it checks the system state (trusted).

Trusted Computing Group objectives

One of TCG's goals was to create a "safe computer" in which the hardware, software, and all communication processes are checked and protected. The word "connection" should be understood here in a general sense, since it also includes interactions between different parts of the software. Below are the main objectives set by TCG.

• Data security.
  Only authorized users can read the data. The security of data transmission to and from the computer must be ensured. Personal data should not be disclosed.
• Data safety.
  Hardware and software must ensure reliable data handling.
• Data integrity.
  The software and data must not be altered without notice (say, by viruses or "worms").
• Data authenticity.
  It should be possible to verify the authorship of the recipient and sender as well as the data service (via the "assignment" process). Each TPM chip can be clearly identified, so it is quite obviously tied to the system.

Of course, the capabilities of a trusted platform are not limited to one computer - all modern forms of communication can be added here. TCG's vision encompasses mobile phones and PDAs, as well as input devices, storage devices and certificates. Security devices such as a fingerprint reader or iris can be used as TPM extensions. Development efforts in these areas fell on the shoulders of the TCG subgroups. One of these subgroups is TNC (Trusted Network Connect), which deals with the security of network connections.

Of note is a technical problem that is often confused with the concept of trusted computers - DRM. Note that the task of DRM is to prevent unauthorized copying of digital information - movies, music, text, etc.

Of course, the technology of trusted computers provides the technical ground for such thoughts. But so far, no one has ventured to explicitly implement digital copyright protection. Perhaps this is due to the harsh criticism that Microsoft received for the Palladium platform. It was reimagined by Microsoft and now exists under the name "Next Generation Secure Computing Base" (NGSCB). But before us is nothing more than an old filling in a new wrapper ...

Steps in the development of security concepts (source: Intel).

Modern developments clearly show the development of security measures. At the very beginning, the solutions were purely software. Then there were isolated applications with their own hardware - the same smart cards for working in banking programs.

The next step was the rough outline of TP-modules, which in their modern form represent solutions like "Fritz's chip". The first hardware maker to adopt Trusted Computing was IBM: the ThinkPad T23 was equipped with an Infineon TP module.

The first step beyond the initial TPM concept was the introduction of technology called Execute Disable Bit (XD) from Intel, Non Execute (NX) from AMD, and Data Execution Protection (DEP) from Microsoft. This technology fights against buffer overflow attacks: memory is divided into regions from which code can execute and from which execution is prohibited. However, this feature must be supported by the processor, operating system, and applications. Among operating systems, the function is supported by Microsoft Windows Server 2003 SP1, Microsoft Windows XP SP2, Windows XP Professional x64, SUSE Linux 9.2 and Enterprise Linux 3 update 3.

Diagram of the TCG system.

TPMs (current version 1.2) provide a so-called hash for the system using the Secure Hash Algorithm (SHA1). The hash value is obtained from information obtained from all key components like the video card and processor, combined with the software elements (the operating system, among other things).

The computer will only start in an authorized condition when the TPM receives the correct hash value. When checked, the operating system gains access to the encrypted root key, which is required for applications and access to TPM-protected data. If an incorrect hash value was received during boot, then the system is considered untrusted, and only regular, free files and programs will work on it.

Today's Trusted Platform Module (TPM) manufacturers include Infineon, National Semiconductor (although its TPM division was recently sold to Winbond), and Atmel. In addition, there are TPM-integrated chips from Phoenix / Award, processors from Transmeta and network controllers from Broadcom that are used by Hewlett-Packard. Seagate has announced its decision to release TPM-integrated hard drive controllers.

In the area of \u200b\u200bprograms using installed TPMs, Wave Systems offers the Embassy Security Center environment, the complete Embassy Trust Suite (document management, digital signature management) and the CSP Toolkit (Cryptographic Service Provider) for Windows programmers. IBM offers the ThinkVantage suite (primarily in conjunction with its TPM-enabled Thinkpad notebooks) and Ultimaco provides SafeGuard Easy data encryption software. Checkpoint sells a suite of products for a range of IT infrastructure tasks, and Adobe offers Acrobat version 6, which allows you to work with PDFs over the TPM.

However, today there are spin-off technologies and improvements whose safety characteristics are implemented even more rigorously. Examples include Intel LaGrande technology, ARM TrustZone, and the next 2006 AMD Presidio. A separate operating system security engine (Nexus in the case of Microsoft Vista) links the TP and security components of trusted applications. With this support, the user can verify that all hardware components are TCG-authorized, the installed applications are signed, and none of the components have an incorrect signature / serial number.

If changes to the hardware configuration are identified, the TPM can re-certify new components online. The operating system with the Nexus security kernel runs in memory areas protected by the processor (remember, Data Execution Protection), and the data of trusted applications cannot be changed externally.

The current version 1.2 of TPM has some nice features. "Direct Anonymous Attestation" (DAA) provides improved communication with other trusted clients. Locality introduces different levels of TPM security. "Delegation" differentiates the security characteristics of different users. "NV Storage" provides better utilization of non-volatile media. "Transport protection" improves data transfer to non-TPM systems, and "Monotonic Counters" monitors every step of your work to prevent so-called "replay" attacks.

Comparison of technology with Intel AMT

We need to at least briefly talk about Intel Active Management Technology (iAMT). Intel is approaching the topic of platforms with a complete management suite that addresses administration and security needs. With the slogan "Discover, Heal and Protect", iAMT must be in place. Intel provides centralized management that discovers computers regardless of their state and operating system, reduces the time to fix a failure, and makes it easier to manage the protection of computers against malware. The most powerful product to date is the Intel ATX motherboard D945GNT, which combines TC and iAMT capabilities.

Risks, hazards and consequences of TPM

With each release of improved security technology, you can expect a flood of criticism and skepticism from people willing to challenge any improvements. But what are the real risks and dangers?

Today, the most obvious effort by the music and video industry is to force all computer users to conform to the DRM paradigm. As soon as most of the computer components support TPM, and the operating system (the same Windows Vista) can effectively work with TPM, it is possible to fully track the stored data from the copyright owners.

The "first sign" is Microsoft's attempt to force Media Player to update DRM without the user's knowledge. As a result, the question arises: what data on the computer can be considered legal, and how to deal with all this? Looking in the direction of countries like Cuba or North Korea, there is a danger here in the form of new censorship opportunities. For example, hardware protection can allow the output of text and images that have been checked by the censorship of a given country.

Agree, all this leaves a not very good aftertaste for users, resembling a "black box". Indeed, with the help of constant monitoring of all computer procedures, you can easily get all the necessary information about the user and his work.

Systems with TPM

For testing, we received a preliminary sample of the HP Compaq DC7600 computer. Unfortunately, apart from the TP chip itself, the hardware in the computer is not ready for the TPM concept. The HP / Altiris administration software is far from complete, and HP does not provide any other TPM software or even encrypt hard drive partitions. Also, the current Windows XP, even the latest x64 version, cannot take full advantage of the TPM or encoding features. So the entire description of the possible TPM functions of a computer is based on information from HP / Compaq.

The HP board uses the MicroATX form factor and can be expanded via a daughter board with two additional PCI slots.

The HP Compaq DC7600 is equipped with one of the first HP TPM motherboards. The 7x00 line includes computers with a TP-module version 1.2, and they are also available as a "configure-to-order". At the same time, HP has integrated not only a single TPM chip, but also a Broadcom NetXTreme BCM5752 gigabit controller that meets the latest trusted computing specifications. According to information on the Internet, it costs the manufacturer $ 10 to activate the functions of the TC chip.

For TPM management, HP adds another layer of protection called "ProtectTools". It is used by the Altiris "HP Client Manager" software, which is also suitable for hardware administration. At this stage of development, ProtectTools provides only two functions: protecting identity information during user logon, and encrypting hard drives. Of course, every TPM in HP Compaq computers can be clearly identified.

Among the most important features of the TPM concept, HP Compaq highlights the following:

• hP Tools built-in protection provides root encoding;
• "virtual smart cards" (Virtual Smart Cards) improve the operation of conventional smart cards (SmartCard and Token ID);
• expansion of other security tools like smart cards, fingerprint readers;
• built-in encryption of the wireless network, as well as data protection and data integrity (protection against spoofing);
• encoding files and folders;
• mail encryption (keys supplied by TPM);
• access and rights management in networks;
• protection against hacker attacks (system attacks, DOS / network attacks);
• secure user login, "global" user authentication.

The latest Broadcom gigabit chip supports TPM.

DC7600 open case.

The target audience of the HP Compaq 7x00 line of computers - in fact, as well as the concepts of trusted computers - are networks of companies of medium and large levels. These networks will benefit greatly from the centralized management features as well as the higher security and protection characteristics of the TPM. HP currently sells its line of computers in three versions: ultra-thin desktop, desktop and tower.

We got a mini "turret" that can also be laid to its side thanks to the rubber feet on the right side of the case. The case, apart from the cheap plastic front panel, has a high build quality, which is why it is heavy. Many details are well thought out: for example, the cabinet door can be quickly opened. Likewise, CD / DVD drives and hard drives are installed without screws. If you need to add a new drive, then attach the rails to it and insert into the bay.

The chassis offers ample room for two additional 5.25 "drives, one 3.5" drive, and a floppy drive. The power supply with active cooling produces a maximum of 345 watts.

In addition to the TPM expansion, we have a typical motherboard based on the 945 chipset with integrated video (Intel GMA950) and sound (AC97). The ports available are broadly consistent with a typical office computer. There are six USB 2.0 ports and a Gigabit Ethernet interface on the back, and two USB 2.0 audio in and out ports on the front. You won't find FireWire ports, DVI-out ports, or S-Video connectors.

Back and front view of the case.

You will find these ports on the front and rear panels.

Four PCI slots. Between them, you can see the connector with which the expansion card is connected to the motherboard.

In smaller form factor cases, HP uses the exact same MicroATX motherboard. And in large cases (like ours) a daughter board is connected to it, providing additional PCI slots. The board itself has two 32-bit PCI slots, but they can be expanded with two more using the mentioned daughter board.

Technical specifications
CPU	Intel Pentium 4 Processor 630 (3.0 GHz, 2 MB L2 cache)
Memory	2x 256 MB DDR2 (PC2-4200 / DDR2-533)
Memory slots	4 DIMM
HDD	80 GB (7200 rpm)
Drive bays	3x 5.25 ", 1x 3.5", 2x internal 3.5 "
CD / DVD drive	DVD-ROM 16x / 48x
Drive	1.44 MB
Hard disk controller	SMART III Serial ATA 3.0 Gb / s
Housing	Mini "tower"
Graphical interface	PCI Express x16
OS	Microsoft Windows XP Professional, Microsoft Windows XP Home and SuSE Linux
Slots	2 full height PCI, 1 full height PCI Express x1, 1 full height PCI Express x16 (2 additional full height PCI slots)
Sound	Built-in High Definition Audio with 2-channel Realtek ALC260 codec
Network	Integrated Broadcom NetXtreme Gigabit TPM Controller (BCM5752)
Network cards	Intel Pro 1000 MT Gigabit NIC (x1 PCI Express)
External I / O ports	Rear: 6x USB 2.0, 1x serial, 1x parallel, 2x PS / 2 for keyboard / mouse, 1x RJ45 for network, 1x D-SUB VGA, audio ports; front: 2 USB 2.0, headphones

IBM has been providing embedded TPM solutions for some time. With the release of the T23 ThinkPad notebooks, passwords and keys can be stored securely, data can be encrypted locally, and VPNs can be more secure.

Today, more and more computers are equipped with TP-modules, and the user is often unaware of this. When we got the Dell X1 laptop into the lab, we found it was equipped with the same Broadcom BCM5752m TPM-enabled NIC.

Conclusion

Trusted Computing is a smart technology approach that provides intelligent solutions to many, though not all, security risks. The concept offers more convenient and powerful solutions than other approaches.

The additional hardware costs are low, and especially in a corporate environment with a large IT infrastructure, TPM can be of great benefit. In the near future, processors that support trusted computing should appear. LaGrande (Intel) and Presidio (AMD) technologies are technically similar, allowing you to implement a "protected" system kernel. In addition, the processors support additional unprotected system partitions, which will work well when paired with Vanderpool and Pacifica technologies (Intel / AMD).

We have no doubts about the success of TPM platforms. The risks associated with a new technology (in fact, like with any other) exist only in connection with the misuse of its potential, which is fueled by the aggressive statements of some politicians associated with the huge influence of the music and film industries. Unfortunately, HP / Compaq was unable to provide us with even the beta version of the software, which did not allow us to take a closer look at the potential of TPM.

Until trusted computing becomes a reality in corporations, TPM-enabled components will be dormant. With the release of Windows Vista, we will once again return to TPM technology, and this time more closely.

The constantly growing number of "worms", viruses and elementary holes in modern operating systems and network services forces IT professionals to develop more and more information security tools. Previously, predominantly software solutions were used - hardware and software were not available to everyone. Now, thanks to TPM (Trusted Platform Module) technology, these solutions have come to the masses and have become available to everyone. In this appendix, we'll talk about what TPM is and why it makes sense to use it in an enterprise.

TPM is a microcontroller designed to implement basic security functions using encryption keys. The TPM chip is installed on the computer's motherboard and communicates with the rest of the system via the system bus.

The concept of "trusted platform modules" (this is how the abbreviation TPM is translated into Russian) belongs to the Trusted Computing Group (TCG) consortium, which has existed since 2004.
The TPM technology itself did not appear in 2004, but earlier. In 1999, the Trusted Computing Platform Alliance (TCPA) was created. This alliance included the most important hardware and software developers - IBM, HP, Microsoft, etc. Despite the eminence of the participants, the activities of the alliance resembled the famous fable about the swan, cancer and pike: each "pulled a cart" on himself (each member of the alliance had the right to cancel decision by other members), so TPM has evolved rather slowly.

(adsbygoogle \u003d window.adsbygoogle ||) .push (());

In 2004, the TCPA alliance was transformed into the TrustedComputingGroup consortium. The structure of this organization was different. Important decisions can only be made by select companies (they are called promoters). These companies are now Intel, HP, IBM, AMD, Seagate, Sony, Sun, Microsoft and Verisign. The rest of the companies (there are more than a thousand of them) have the right only to participate in the development of draft specifications or simply get earlier access to new developments.
The main product of TCPA / TCG is the "Trusted Platform Module", formerly called the "Fritz Chip". It was named after US Senator Fritz Hollings, known for his support for the Digital Rights Management (DRM) system.

The main task of TPM is to create a secure computer in which all communication processes, as well as hardware and software, are checked and protected. Communication security does not mean the process of securing a network connection, but the protection of the process of interaction between individual parts of the system (for example, the OS).
The TPM can also be used to verify data integrity and authorship. Only authorized users should have access to the data, while the security of the transfer of the information itself should be ensured. Integrity check will protect the system from viruses, worms and other programs that change data without notifying the user.
When developing TPM, the task was not to create a module only to protect personal computers or laptops from viruses - this technology can be used to ensure the security of mobile phones, PDAs, input devices, disk drives. Together with it, biometric identification devices can be used. A separate division of TCG, Trusted Network Connect (TNC), is responsible for securing network connections. We will not consider the fruits of TNC's activities, but only TPM.

For example, you can install a TPM-enabled hard drive (Figure A37). Seagate has been producing such hard drives for a long time (Momentus 5400 FDE.2). But Seagate is far from the only manufacturer of encrypted hard drives. Other manufacturers, such as Hitachi, also produce "cryptographic drives." So you have a choice of hardware (you can read about other manufacturers of hardware and software with TPM support at www.tonymcfadden.net).

How TPM works

As noted, the TPM is implemented as a chip on the motherboard. The TPM chip is integrated into the computer boot process and checks the system hash using the SHA1 (Secure Hash Algorithm) algorithm, it is calculated based on information about all computer components, both hardware (processor, hard disk, video card) and software (OS).
In the process of booting the computer, the chip checks the state of the system, which can only be started in the authorized condition, which is possible only if the correct hash value is found.

Configuring TPM on Windows

The following guide describes how to use TPM services in Windows Vista:
http://www.oszone.net/display.php?id\u003d4903.
Windows Vista and Windows Server 2008 use BitLocker Drive Encryption technology, which is closely associated with trusted modules (Figure A38). You can read about configuring BitLocker in Windows Server 2008 and Vista (Fig. A39, A40) here:
http://www.securitylab.ru/contest/300318.php; http://www.oszone.net/4934/VistaBitLocker.

TPM Ready Systems

Ready-made TPM computers have been on the free market for a long time: both laptops and desktops. Typically, such systems are produced by renowned manufacturers such as HP, so their price may be slightly overpriced (surcharge "per brand").
Those who want to save money can be recommended to buy hardware with TPM support and put everything together on their own. The required motherboards are produced by many manufacturers, for example ASUS (M2N32-SLI Premium), MSI (Q35MDO), etc. (Fig. A41).

Why TPM is needed

Firstly, TPM is an increase in the overall security of the system and additional protection implemented at the hardware level against viruses, "Trojans" and other computer vermin. And on safety, especially at the enterprise, as we know, it is not worth saving.
Secondly, TPM is hard drive data encryption. TPM allows you to find a trade-off between security and performance.
Since encryption is done in hardware, there is little to no performance impact.
Thirdly, with the TPM, you can do without a password altogether by using the user's fingerprint instead. Agree, it's a pretty effective solution. Yesterday we saw such systems in half-fantasy films, but today it is already a reality.

It is important to remember that TPM is not a universal remedy or a panacea for all computer woes. Nobody canceled a good antivirus and firewall. TPM was designed more to protect the interests of software giants: in order to prevent the user from running unlicensed software. From this point of view, it is not yet clear whether TPM is good or bad, given the number of unlicensed programs in our open spaces. Let's face it - there is a lot of pirated software.
Also, do not forget about the human factor. A person can deliberately provide a password to his system or write it down somewhere on a yellow piece of paper that he will stick to the monitor, or simply set a very simple password that is easy to guess. In this situation, TPM will definitely not help. Here software comes to the rescue, namely, access control systems, but that's another story.

Helloovichik everyone Today we will talk about the Trusted Platform Module, we will find out that this is game. A bit complicated, but I realized that the Trusted Platform Module (TPM) is a module that is located on the motherboard and stores cryptographic keys to protect information. There is version 1.0, and more advanced modern 2.0

There is also TPM 1.2, which was released on March 3, 2011. That is, we can conclude that the technology is not so new, but as if it has existed for a long time

As I understand it, the Trusted Platform Module is used in encryption algorithms, making them even more secure.

The trick is that the TPM module can help encrypt and decrypt. But to decrypt, you need cryptographic keys. And these keys are stored in the chip itself. This is such a complex technology

Aha! There is also such a thing - the module is able not only to create these keys, but also to bind them to the equipment. Do you understand? And it is possible to decrypt only if the configuration of the computer, which was during encryption, coincides with the one that is now .. shorter seriously

The chip also takes part in the BitLocker Drive Encryption technology (encryption of the contents of PC drives).

I found a strange picture .. TPM is mentioned here, but where does the kitchen stove have to be understood:

What does this all mean and who is behind it?

Chip appearance

Here is His Majesty the TPM chip itself (separately, not on the motherboard):

Hmm, I wonder if it is possible to buy a new one .. and replace it? Well, for example, if the old one broke down there, burned down ... and looking at this picture, it seems that you can still buy:

Well what can I say here? Cool in general But if you buy a new chip, will it be possible to decrypt the data that was encrypted by the old chip? But this is an unrealistically serious question!

Here is the actual chip on the motherboard:

Judging by the appearance and design - it is really possible to replace it at home, so to speak

BIOS option TPM Device

Well, here is the Trusted Platform Module option itself in the BIOS - you can enable (Enabled) or disable (Disabled):

Maybe the name and TPM Device or .. TPM Embedded Security (sorry for the quality, gentlemen):

The BIOS may also have the Discrete TPM FW Switch option (Security section):

Found out Discrete TPM FW Switch - discrete chip control. Discrete, that is, this is the chip that can be changed, removed, so to speak. Then a thought struck me - can there be two TPM chips on the motherboard? Integrated and discrete? And now they are managed in the BIOS .. I don’t know in short ..

Another example is the TPM SUPPORT, TPM State, Pending TPM operation options:

Conclusion - options depend on the motherboard. If the TPM chip is enabled in the BIOS, then in your device manager (to run - Win + R\u003e devmgmt.msc) there will be such a device in the Security devices section:

As you can see, the version is indicated in front of the device - the above picture is outdated 1.2, and you may have a modern 2.0 (depending on the motherboard's release year). So, stacks! If the version of the chip is outdated, is it possible to replace the old chip with a new one really? Just thoughts, but I think that the replacement is quite real.

Also in the System devices section there may be an Infineon Trusted Platform Module:

Some conclusions and my thoughts on the Trusted Platform Module

I'll write everything I think about it to everyone, okay? See:

Trusted Platform Module Settings

Purely by chance I found out that it turns out that Windows has Trusted Platform Module settings, or even did not know! How do I open the settings? Hold down the Win + R buttons, then insert the command:

I opened the opachi for myself and here, I write that I cannot find a compatible TPM:

Here's a pancake, a specific popod. I just thought that the module .. no, well, probably I have a module! But it is apparently not included in the BIOS. Well, okay .. And you take a look at yourself, what will you have there? Well, the settings will be? Look, okay?

And more - there in the settings you can clear the TPM data. I hope you understand that this is not necessary if you do not fumble about it. Go know what data is there. Or maybe you have something encrypted on your PC and if you clear the data, then you won't be able to decrypt it later. In general - I warned you

For the TPM to work normally, a special update must be installed in Windows. It seems to be able to install itself automatically. And if not, then you need to download it from your motherboard manufacturer's website. Here, just by the update, as I understand it, I mean the TPM driver, because Windows and firewood are able to install, pulling them from the Internet ..

That's all. Good luck and patience, until we meet again gentlemen!

04.11.2018

Philosophers of the past loved to talk about freedom. "Those who are willing to give up their freedom in order to acquire short-lived protection from danger do not deserve either freedom or security," Benjamin Franklin argued. “A person cannot be either a slave or a free one. He is either free or not at all, ”Jean-Paul Sartre said categorically. “Freedom is a realized necessity,” the Marxists quoted Benedict Spinoza as saying.

What is freedom? Is it important for a person to be free, and is he ready to exchange freedom for security? The reason for thinking on this topic was not noticed by the general public. In the summer of this year, the JTC1 Technical Committee voted to approve, in a simplified PAS procedure, a new version of ISO / IEC 11889: 2015, which was presented by the Trusted Computing Group (TCG) consortium, founded by the American companies AMD, Cisco, HP, IBM, Intel , Microsoft and Wave Systems. And on June 29, in Portland, Oregon, TCG announced that its Trusted Platform Module (TPM) 2.0 standard was finally approved as international.

TPM benefits

TPM is the name of a specification that describes a crypto module that stores cryptographic keys to protect information. It can be said more simply: this is an information security module that can be installed on servers, personal computers, network and mobile devices. It supports remote attestation, which links the hardware and software of a computer.

The module is convenient for copyright holders, as it allows you to check the licensing of software, control illegal copying of music, films or computer games. It uniquely identifies the computer and allows you to authenticate the user. At the same time, TPM makes it possible to generate keys, has hashing functions, and generates random numbers.

The hardware capabilities of TPM are very limited in power and do not directly encrypt large amounts of data at high speeds. The function of mass encryption of files on disks can be performed by the Windows Bitlocker program. In this case, the encrypted keys used are themselves encrypted using TPM, which excludes the possibility of their theft.

Thus, TPM in conjunction with Windows Bitlocker can encrypt a disk, protect data in case of loss or theft of a computer, software from modification and damage by viruses, as well as banking and email programs.

The module is able to confirm the authenticity of the computer and even its performance even before gaining access to the network. In general, it significantly increases the safety of users, especially those who are little versed in information security issues and cannot solve them on their own.

Indeed, TPM is an important and useful thing. Significantly increasing user safety. But the question of the price of security arises. If a person installs a webcam in their home, they increase the security of their home. He can remotely control the apartment all the time and call the police in case of thieves. But if the ability to control the webcam is intercepted, then it can turn from a security device into a tracking device. The collected information about a person is, respectively, in a means of control and management. And his apartment itself is turning into a cell, however, rather into a prison.

Germany's position

The voting result from ISO / IEC Technical Committee JTC1 was predictable. Only Germany voted against. Russia abstained, however, its “against” vote would not have decided anything anyway. The majority supported the position of the Americans. The unprecedented action did not help either - sending the members of the committee a closed letter from the officials of the Federal Ministry of Internal Affairs and the Federal Ministry of Economy and Energy of the Federal Republic of Germany with a request to "bury" the project. Information about this document was leaked to the German press and made a lot of noise.

At the state level, the presence of such a letter was denied by the German authorities, however, what else can be expected from the official authorities in this case. In the text of the German letter, which is at the disposal of the editors and the authenticity of which we have no reason to doubt, it is written that “... the specifications presented in the draft standard are not sufficiently developed for making a decision; in particular, as a result of careful consideration of the issue, we have reason to believe that their implementation may significantly impair the ability to control the protected ICT system, and also potentially lead to situations of complete blocking of the system operation, carried out in the interests of some manufacturers of computer equipment. In addition, we believe that the potential impact of the proposed specifications on the level of confidentiality of personal data and IT security may be very problematic, and we fear that this will conflict with the relevant provisions of German law. "

At the same time, German information security specialists did not oppose TPM in principle. They were satisfied with the previous TPM 1.2 standard, in which the user retained full control over their platform. The TPM could simply be disabled. This will not work in the TPM 2.0 standard.

In addition, they were concerned about the very approach to the development of the standard, in which only American companies participated. Zeit reporters reported that the German government tried to take part in the development of TPM 2.0, but was refused. They also pointed to the active cooperation of the developers of the standard with the US NSA and led assessments of the security of TPM 2.0 by independent experts. The publication warned that the TPM can be viewed as a backdoor and there is a high probability that the NSA has access to the cryptographic keys.

Air vents and windows

Experts of the German Federal Office for Security in Information Technology (BSI) were alarmed that with the transition to the TPM 2.0 specification, this standard becomes mandatory for all devices running Windows 8.1 and above, and this function cannot be deactivated.

In fact, a TPM 2.0 computer cannot be considered a device under the full control of the user. Concerns have been raised that Windows 8 with TPM 2.0 could allow Microsoft to control the computer remotely through an integrated back door.

Chinese experts have also read about the German warning. They researched the problem, figured out the details, and made a decision. In May 2014, the Chinese government agency Xinhua announced a ban on installing Windows 8 on government computers. And these are most likely computers belonging not only to the state, but also to those structures that are controlled by the state - the largest banks, information security companies, telecoms, as well as other companies wishing to follow the recommendations of their government.

Another internal BSI document, obtained by the German edition, states: "Windows 7 can be managed securely until 2020. After that, other solutions must be found to administer IT systems." And on the BSI website it is directly written that the mechanism of operation of Windows 8 with TPM 2.0 "can be used for sabotage by third parties" and that experts believe that the use of the new version of the TPM by government organizations and critical infrastructure facilities is unacceptable. So it looks like the Germans and Chinese will not rush to update Windows 7 in the public sector even to Windows 8.

Russia's position

To find out the position of Russia, we turned to experts - members of the ISO / IEC JTC1 Technical Committee, the Russian companies Aquarius and Kraftway, and Microsoft with a request to comment on the seriousness of Germany and China's concerns about the new standard.

Unfortunately, the experts either ignored our questions, or said they refuse to answer them. The only specialist who agreed to be interviewed is an independent cybersecurity expert in automated control systems Vadim Podolny.

Why is TPM good and dangerous?

TPM, whether it is the most widely used TPM 1.2 or the deployed TPM 2.0, is a technology standard promoted by large American companies. Essentially, the TPM is a separate module that integrates into computers.

Now, in addition to PCs, servers, terminals, network routers, we have many more new components connected to the network. These are controllers for industrial automation, IoT devices, devices that are responsible for human health - pacemakers, blood glucose meters built into watches ... Due to the intervention of a hacker, they can work falsely or, conversely, do not work falsely. TPM trust modules solve an important task - trust in data, trust in the system, confirming that it will work correctly.

TPM idea is correct. There should be standard modules that ensure the legal relevance of the information. The concept itself is as follows: make a module that is difficult for hackers to make and that only a large state can do. It's like a bill, like a method of protecting money. There is nothing wrong.

The question is different. Windows 7 had a My Computer icon. In Windows 10, it is called This PC. This is no longer your computer. We are being forced into technologies that will ensure our security, regardless of whether we want it or not. It seems like the state introduces dry law and says that now you will not get drunk, since society needs healthy soldiers. So it is here.

If your computer is hijacked, it means that someone needs it for something. Perhaps to follow you. If you cannot disable this functionality, then this is not a protection tool. It is a passive means of attack. Gathering information is looking for a point of attack. Microsoft takes your computer away from you at your own expense. She sells her operating system to you and takes control of you.

Is it possible to check if the TPM has a backdoor or not?

You can analyze the standard. But when a computer comes to you, whose motherboard has a TPM that is not manufactured in a factory that you control, you do not know what is inside. Anything can be added there.

But can you add a bookmark to any processor or controller?

Yes of course. And the approach should be the same. In military systems, regulators will never allow the use of a chip made by an unknown person, even if it is an open standard. Therefore, we have the Baikal and Elbrus processors. Russian engineering forces are enough to design your TPM. We cannot do it in our factories yet. So is the processor. But we can design and then check whether they did it the way we needed it, or added something there. Such a mechanism will already allow the use of TPM.

What should we do now when we don't have our own TPM?

Trusted boot hardware modules are commonly used TPM counterparts that largely play its role. They are used even now, when TPMs appeared on motherboards.

There was also the ability to modify the BIOS, there was UEFI technology, a standard that allows you to create trusted boot modules programmatically. In fact, they can accommodate programs that emulate the TPM, which is what is done in many developments. For example, in the seOS operating system certified by the FSB.

What about the Russian TPM?

We still have companies in Russia that order motherboards for their projects. For example, "Aquarius", "Kraftway", "T-Platforms", MCST and others. Each of them is quite capable of designing its own TPM. And it will most likely be created in the near future, with the support of domestic GOST cryptographic algorithms. And this is important not only for defense enterprises, but also for a wide range of consumers who are obliged to comply with the provisions of Law 152-FZ "On Personal Data".

Why did the Germans oppose the TPM 2.0 standard so sharply?

Very simple. They want to protect their data and technology from the United States. Remember how SUSE Linux came about? This happened after it turned out that when documents were transferred from one department of the Bundeswehr to another, the information first ended up in the NSA. Then SUSE Linux was created in Germany and the department was transferred to work with this OS.

In Linux, starting with kernel 3.2, TPM 2.0 support has also been announced. But it can be turned off. And in Windows OS, higher than eight is impossible. Windows is a very user-friendly operating system. It is wonderfully thought out. Tens of thousands of programmers are working to make users feel comfortable and convenient. But any change that is forcibly enforced, saying it's for your safety, is annoying. And experts, and officials, and the government.

In order not to be afraid of TPM, you need to do special research, conduct a check and find out if there is anything dangerous there or not. This is a fairly standard procedure. Sometimes it is performed on-site. This is a normal practice, when representatives of a country come to the country of origin and sit in production for some time, understand the processes.

And who will do this?

This may be of interest to large commercial companies. I think some research work in this format is already underway. And the state is not immediately interested in this, since our cryptography is not there, so the existing modules are not suitable for the defense industries.

Is it possible to use computers with TPM in government agencies?

The issue of using TPM in government agencies is rather complicated. I think that in the next editions of TPM there will already be a possibility of substituting cryptoalgorithms. You can now re-flash the BIOS and add your own components. So it will be in TPM. As for the current use in the public sector, it is too early to talk about it. But it is necessary to study the possibility of its own implementation of the standard. And also it is necessary to participate in the development of its next version. To be able to stitch our cryptography into someone else's TPM.

... In general, the position is clear. TPM is the next level of security. The state will somehow resolve the issue in the defense industry, and the rest will use what they have. In most cases, TPM will protect against wild hackers (in those matters of protection that TPM provides), but you still can't get away from Big Brother's attention.

The consortium itself, which started as a purely American project, is expanding. TCG currently has 11 Promoter members (AMD, Cisco, Fujitsu, HP, IBM, Infenion, Intel, Juniper, Lenovo, Microsoft and Wave Systems) and 74 Contributor members. Japanese and Chinese companies have appeared on these lists. But there are still no Russian representatives there.

Freedom or Security? The times of the existentialists Sartre and Camus, who chose the “paths of freedom” and studied a free man standing on the brink of “nothing”, have gone into the past along with the past century. Most people have chosen safety. And now he is only arguing about the length of the leash. So there is no TPM problem for the mainstream user. But the state should not be indifferent to the question of whose leash its state structures are on. And its citizens too.

Information Security: Trusted Platform Module and Red Pill. Part 2.

Article:

From the editors of the VM Guru portal: This article by Andrey Lutsenko, an expert in the field of information security, including virtual environments, tells us about the potential vulnerability of many software and hardware systems from workstations to server systems. In our opinion, the material is unique, interesting and relevant today for many environments requiring increased attention to information security. We thank Andrey for the valuable material provided. To contact the author, use the information in the "" section.

With the help of the Hyperdriver, you can control the operation protocols of various devices, and even control devices designed to protect computing systems that have special protection systems against illegal interference - not only TPM modules, but also various Smart cards, all kinds of Tokens.

The demo version of the Red Pill hyperdriver in the device control version has been modified, and specific handlers that control the address spaces of the TPM module are hung on the virtualization platform, when any software attempts to access these hardware resources, the hyperdrive registers these events in the dump, the dump can be viewed through the Hyper Agent ...

In addition to registering a hardware event, the command address is registered in the software module that performs this call to the hardware. The hyperagent allows you to view these program modules and, if necessary, save them to a file for further analysis.

The most common software tool that uses the TPM module for storing encryption keys is Bitlocker, it is at the work of this program and is observed by the "Red Pill" hyperdrive in the screenshots below.

Bitlocker protocol with TPM module

Initially, Bitlocker (at the stage of loading the OS) uses the BIOS functions to read disk encryption keys from the TPM module, the work goes through the address space of the input / output ports.
After loading the OS kernel, the operating system itself starts working with the module using the 1.2 protocol, and information is exchanged through the MMIO address space.

TPM module activation protocol (click to expand the picture)

The administration of the TPM module is also controlled by a special Windows service, for example, the protocol for initializing a pure TPM module and entering the activation key into it is registered. By analogy, you can simply read from the TPM module and other encryption keys, activation, but these are only those keys that the TPM module exchanges with the OS. Keys that do not leave the TPM module can be read by registering the backup protocol on the external media of the TPM module contents.

From the previous text, it may seem that this topic is not relevant for our country, since TPM modules are prohibited for use, and other imported information security tools are used only for confidential data.

The basis of Russian information security is trusted loading modules (MDZ) such as "Akkord", "Sobol", etc. In addition, impenetrable methods of disconnecting local networks from external Internet access lines, according to the plans of information security system architects, completely eliminate all risks of external penetration.

But, " OH GOD", these impenetrable means of Russian engineering and administrative thought are easily bypassed by hyperdrivers and the protection is bursting at the seams (actually there is no protection for a long time as such - there is only a multimillion-dollar business).

In addition, information security, as an institution of state policy, has become a complete fiction, within the framework of an old Russian proverb: "The strictness of laws is compensated by the non-obligation of their execution."

Specific example:

The use on the territory of Russia of cryptographic tools and installations containing such tools is possible only on the basis of a license (Decree of the President of the Russian Federation of April 3, 1995), or notification.

In this model, the manufacturer installs the TPM module on the board and supplies the laptop to Russia according to the notification procedure, informing that this device is disabled by the manufacturer at the production stage:

Infineon SLB 9635 TT1.2 TPM module is installed on CF-52 board

In this expensive and advanced model of the TPM laptop, the module can be made operable in the Operating System by simple manipulations with BIOS ACPI tables, which is demonstrated below.

It can be seen from the above slides that the importer cheated in his notification, and the controlling State Bodies were “screwed up”.

Moreover, permission to import supposedly disabled TPM modules is a serious threat to the country's information security, since these supposedly “disabled” TPM modules are used by systems for remote control of computing installations from a laptop to a server, inclusive. In remote control systems, they are responsible for allowing the remote site to take control of the computing facility.

But enough of the bad news, there is an area where hardware virtualization technology can seriously help. In fact, you can, if not give up on viruses, then seriously complicate their life (namely on viruses and not Trojans and other rubbish exploiting the stupidity and incompetence of the user).

A description of the hyperdriver for solving this noble antivirus task will be given in the next article.

Please enable JavaScript to view the