With the recent launch of Windows 11 Microsoft also made having a hardware TPM module mandatory. Although this technology is not new (it was introduced in Windows 10 and Windows Server 2016), now, that most people can’t upgrade to Windows 11, it will (slowly) become mainstream. (My personal opinion on it is that is probably a step in the right direction, but Microsoft could have handled mandating it better..)
Several months ago, when I heard about this new requirement, I checked how much this upgrade for me would cost. At the time prices for a TPM2.0 module for my motherboard (Gigabyte AORUS GAMING 3) started at around EUR150, which is not much less then, but definitely comparable with, the price of the motherboard itself. Not prepared to pay that much for a “free” Windows 11 upgrade, I started to look into if and how I could create the same thing on my own.
A cool and actually useful project – and the required code and schematics are available on GitHub.
Considering Microsoft Windows position on the market i don’t feel they have the right to mandate the usage of TPM module.
And they should support Pentium 166 MMX obligatory by law
Don’t be ignorant.
Riiight, lay off the crackpipe son, its not doing you any good
According to the batshit brigade at MSFT a wally world E-Waste special with a garbage atom dual core, 32GB of EMMC that won’t even allow windows updates and which will fail in a year, and 4Gb of soldered on RAM that makes loading a webpage feel like an MMX trying to run Vista? why that is a perfect acceptable win 11 experience (and considering how win 11 is I think giving people this as a taste? Big Brain move MSFT ) but a Ryzen 1600AF or Intel 7700K with 32Gb of RAM and a TB of SSD? Nah man that can’t handle the tastic experience that is win 11.
Oh BTW just to show how complete bullshit and arbitrary the system reqs for win 11 are did you know there IS a couple of 7th gen Intel chips supported? Yup its the chips being sold by MSFT in their Surface units…which just shows this is just another hairbrained crackpipe smoking scheme by MSFT to try to become Apple only Apple? They actually have good hardware, not E-Waste specials
Mark my words as I’m calling my shot , MSFT will push the snooze alarm on the EOL of win 10 until win 12 aka the “Damn sorry about that tee hee” edition is ready which will drop the system reqs back to sanity as currently even with it being given out for free Windows 7 despite being abandoned for years has more users than win 11 thus proving MSFT always follows the Star Trek “every other one sucks” rule
Bit of a clickbait though, I was hoping for an actual home made TPM 2.0 module. A PCB breakout for an Infineon TPM 2.0 module is all this is.
I know, right? Recipes do that too – look up a “Homemade Bread” recipe – they never make their wheat at home, or churn their own butter. They just combine their existing flour, yeast, water.
I’d never have thought we’d be talking bread on osnews!
To your point: in your example the result is bread that wasn’t there in the first place: no bread -> recipe -> bread. Now imagine a “homemade birthday cake recipe” that consists of “buy cake and icing, then scribble happy birthday on it”. That’s the difference I’m talking about: cake -> recipe -> still cake.
I think at this point I need to state that I in no way want to take away from the project mentioned in the article; it’s a good engineering project that achieves a goal, it’s only that the title wasn’t specific enough. That is all.
Right?
“How to make homemade buttered toast”
1) Buy the bread.
2) Put the butter on the toast.
It’s cool, but I’ll take the full fat content, please.
They don’t and it’s annoying. Seriously. Cooking is a hobby of mine.
Butter is pretty easy, I could probably figure out flour, but I have no idea about how to grow yeast.
Yeast is everywhere. For baker’s yeast you make bread starter out of flour and water. But you end up with sourdough. To get yeast alone, pass, some industrial process. Beer fermentation produces some form of yeast. But since you’ll likely be using premade containers and utensils, and an oven, you might as well cheat and buy yeast. I think we have to draw a line here as to where the minimal definition of homemade starts. No bread -> stuff -> bread is good enough for me
Huh? What level of the design process were you expecting?
Like actually making the VLSI module itself?
This did make me wonder, though, what the minimum TPM 2.0 implementation that works with Windows? Can TPM just report that it is doing the specified security/encryption without actually doing it? Does Windows check that the disk is isn’t actually encrypted with ROT13?
I would assume that it does, but, you never know…
Element of truth https://hackaday.com/2021/07/30/this-week-in-security-fail2rce-tpm-sniffing-fishy-leaks-and-decompiling/ : Breaking Encryption by Sniffing the TPM
Well, I _was_ actually expecting an open source TPM module, I assumed an FPGA, like this one: https://scholarsarchive.byu.edu/cgi/viewcontent.cgi?article=7298&context=etd
An FPGA would be my expectation, but my expectations and reality do not align most of the time.
Yeah, kind of.
Or scavenging parts from a smart fridge.
Flatland_Spider,
That would be really neat! Not practical, but unusual solutions make for interesting projects
Most people here probably already now, but if your motherboard supports firmware TPM, you don’t have to spend for a hardware TPM module.
Names the setting goes by are “fTPM” and “PTT”:
https://appuals.com/ptt-vs-tpm-windows-11/
I would prefer something on software that faked TPM. There is no value in having a geniune spychip in your computer.
Trousers might be what you’re looking for, but a software TPM seems to defeat the purpose.
http://trousers.sourceforge.net/
Defeating the purpose of DRM is the purpose..
Trousers is the tool stack for TPM 1.2.
If you want to fake a TPM, then download the IBM software TPM (sourceforge). The only issue is that you will not get a unique endorsement key nor will it integrate with your machines UEFI to record the boot process. You might be able to link this with, say, QEMU and boot Windows 11 on there, but attestation is going to be a pain.
The TPM is not “a spy chip”, it is passive component that acts as secure storage, key generation and root of trust for reporting. UEFI during the boot process will record information into the PCRs of the TPM. This log can also be found after boot – at least on modern Linux distributions in /sys/kernel/security/tpm0/binary_bios_measurements. This file can be decoded using the tpm2_eventlog utility part of the TPM2_tools package available for most distributions: debian, Ubuntu, Fedora etc ( sudo apt instsall tpm2-tools )
iosn,
You’re right that It’s not supposed to be a spy chip, but as with most things that are proprietary silicone it’s almost impossible to actually verify that. Compromised TPM hardware could theoretically make attacks even easier than verified software implementations.
I’m not asserting that any specific TPM hardware is compromised because I wouldn’t know, but it would be hard to prove that they aren’t! It’s easier to audit software (ie for CPU or FPGA targets), but when it comes to hardware it becomes mostly a matter of trusting the manufacture and supply chains, etc.
For a start you’ll have to specify how it can spy…
The device sits on the LPC or SPI bus for a start. Connect an oscilloscope and read the data – you can decode it using wireshark if you want. The command set is very well defined by the TCG and each manufacturer would audit that.
If you’re worried about the Supermicro case where a device on the motherboard has control over things – well, you’d need software on there that would respond to the chip asking for things which means severely compromised firwmware is the best case. Using this argument then the whole Intel Management Engine, UEFI, ACM etc are much more of a threat.
One of the main points of the TPM is to store the cryptographic measurements of the software (typically UEFI, but also see Linux IMA, Intel TXT etc) of the software – these measurements are generated by UEFI and extended to the TPM’s PCRsm which is in effect an audit of the software.
Why not come over to https://tpm.dev – open discussion every 15th of the month on all topics related to TPM. We’re quite friendly and have some of the topic experts in trusted technologies – inlcuding people from Infineon, IBM, Nokia Bell Labs,, The Trusted Computing Group etc (one or two of us worked on the design and specification of the TPM itself)
iosn,
Well, even if you connected an oscilloscope my point was that you can’t really prove the absence of hidden features and backdoors. There’s nothing stopping manufacturers from implementing hidden protocols that aid in leaking keys and/or bypass security in ways that they’re not supposed to. Such unpublished “features” could help defeat encryption and put your data at risk. Also attestation and signatures could be compromised. We have to trust that the security vendors are not selling weakened security devices to consumers or selling security compromised chips to the 3 letter agencies.
Yes, there are many potential attack vectors. This is why many suggest disabling things like intel AMT. Ideally it would all be open source so that it can be audited, but this doesn’t work as well with hardware.
I guess it could be interesting but I don’t know that I have a specific reason to join. I wouldn’t have thought to anyways. Most people are probably there in a work capacity, no?