20

Is TPM really worth it?

According to Wikipedia it:

  • Provides a generator of random numbers (that's okay)
  • Facilities for the secure generation of cryptographic keys for limited uses (that's okay too I guess)
  • Remote attestation (doesn't sound safe)

In the section on the bottom, it mentions some criticisms of TPM such as remote validation of software - manufacturer, not the user decides what can be run on the computer. This sounds scary.

Also, VeraCrypt doesn't support TPM which raises some concerns. If they don't trust it, why should I?

So is TPM worth it or is it just an unnecessary potential point of failure? Would my security and privacy be safer if I didn't use a computer with TPM at all? Full disk encryption with VeraCrypt sounds safe enough even for the most illegal use cases (NSA-proofed).

And then, would it be possible to remove the TPM module from a motherboard safely?

Gillian
  • 492
  • 1
  • 3
  • 13
  • 4
    @Gillian It seems likely the TrueCrypt authors didn't understand what a TPM is for. It is not redundant and fundamentally _cannot_ be made redundant in software. It is something that can only work in hardware. That is likely why VeraCrypt decided to add support recently to their beta builds, since they seem to have a better understanding of security. – forest Jun 15 '18 at 13:36
  • 3
    This isn't an answer, but definitely something to be aware off. I recently went through a bit of a nightmare with this. When I got my Dell XPS (about 18 months ago), I naturally enabled BitLocker which uses the TPM. This was fine, until about a week ago, I was prompted to update the BIOS, which I just did. From that point on, my Hard Drive was encrypted, and I never noted down the recovery key! I lost everything on there (happily, I had pretty much everything backed up), but still, be warned. You need to turn it off when updating your BIOS! And some might argue, that would defeat the point? – JMK Jun 15 '18 at 19:11
  • 3
    Bitlocker is junk, proven several times: https://www.engadget.com/2018/11/06/microsofts-bitlocker-compromised-by-bad-ssd-encryption/ ; but looks like some people prefer to add "-" to an answer rather than examining the situation as a whole. – Overmind Feb 01 '19 at 07:15

4 Answers4

29

It depends on your threat model. A TPM has multiple purposes, but the most common purpose is measured boot. That is, a TPM will verify the integrity of the BIOS, option ROMs, bootloader, and other sensitive boot components so that it is able to detect an evil maid attack or modified firmware. If your threat model includes an adversary which is able to modify firmware or software on your computer, a TPM can provide tamper-evidence to ensure that it will not go undetected.

So how does a TPM work? It's actually pretty simple when you get down to it. The TPM measures the hashes of various firmware components* and stores the hashes in registers called PCRs. If the hashes all match a known value, the TPM will unseal, allowing itself to be used to decrypt arbitrary data. What data it decrypts is up to you. Most commonly, it is part of the disk encryption key. Unless every piece of firmware and boot software has the correct hash, the TPM will not unseal and the encryption key will not be revealed. TPMs can be used for a lot more, but the idea is the same.

* Technically, the TPM is passive and cannot actively read firmware, bootloaders, or other data. Instead, a read-only component of the BIOS called the CRTM sends a hash of the BIOS to the TPM, starting the chain of trust. This component is read-only to ensure that a modified BIOS cannot lie to the TPM about its hash.

So is TPM worth it or is it just an unnecessary potential point of failure? Would my security and privacy be safer if I didn't use a computer with TPM at all? Full disk encryption with VeraCrypt sounds safe enough even for the most illegal use cases (NSA-proofed).

Remote attestation is not something you will likely need to use. It is however not at all unsafe. All it does is allow a remote device to prove to the appraiser that the firmware and software it is running matches a known-good hash. It does not allow remotely controlling the machine. It is up to the OS to do the remote connections and send the data to the TPM. The TPM itself isn't even aware that it is being used for remote attestation. In fact, remote doesn't even have to mean over a network. There are very clever implementations that use a TPM to remotely attest the computer's state to a secure USB device! There are no privacy issues with a TPM's unique private key either due to a TPM's ability to sign things anonymously using DAA, or Direct Anonymous Attestation.

Let's go even further and assume the TPM is not only useless, but downright malicious. What could it do then? Well, nothing really. It lacks the ability to send the so-called LDRQ# signal over the LPC bus which is necessary to perform a DMA attack. The only thing it could do is say "everything is OK" when in reality the firmware has been tampered with. In other words, the worst a malicious TPM could do is pretend it doesn't exist, making a malicious TPM no worse than no TPM.

It is completely possible to safely remove the TPM from the motherboard. There is nothing that requires it be there. If it is not present, you will simply not be able to verify a chain of trust to be sure that firmware has not been tampered with. Note however that many modern CPUs have an integrated TPM, but it can be easily disabled, with the same results as removing the physical one. Note that some newer versions of Windows do require a TPM's presence in order to secure the boot process. If the TPM is removed, you may need to modify the OS and UEFI settings so it no longer requires it.

In the section on the bottom, it mentions some criticisms of TPM such as remote validation of software - manufacturer, not the user decides what can be run on the computer. This sounds scary.

The worry is that, in the future, manufacturers might use the TPM to prevent you from making sensitive modifications to your system. By default, TPMs will obey only its owner. If you tell a TPM that the current state of the system is known-good, it will always check to make sure the system is in that state. If an evil manufacturer sets the TPM to believe that a known-good state is one where malicious DRM and other rights-restricting software is enabled, then we have a problem. For current TPMs, it's entirely up to you to decide what software you want to run! They don't restrict your rights.

Another criticism is that it may be used to prove to remote websites that you are running the software they want you to run, or that you are using a device which is not fully under your control. The TPM can prove to the remote server that your system's firmware has not been tampered with, and if your system's firmware is designed to restrict your rights, then the TPM is proving that your rights are sufficiently curtailed and that you are allowed to watch that latest DRM-ridden video you wanted to see. Thankfully, TPMs are not currently being used to do this, but the technology is there.

The upshot is that a TPM can prove both to you locally, and to a remote server (with the OS handling the networking, of course) that your computer is in the correct state. What counts as "correct" hinges on whoever owns the TPM. If you own the TPM, then "correct" means without bootkits or other tampering. If some company owns the TPM, it means that the system's anti-piracy and DRM features are fully functional. For the TPMs in PCs you can buy today, you are the owner.

Also, VeraCrypt doesn't support TPM which raises some concerns. If they don't trust it, why should I?

VeraCrypt actually has added support for TPM version 1.2 and experimental support for TPM version 2.0 in VeraCrypt release 1.20, although they have not yet edited their documentation to reflect this. They originally were resistant because the original TrueCrypt authors did not understand the TPM. Its purpose is not to assist with disk encryption, but to verify that the firmware and important boot software (including the VeraCrypt bootloader!) have not been tampered with.

forest
  • 64,616
  • 20
  • 206
  • 257
  • Thank you. Is it true that there don't exist any attacks executed with physical access to the device with TPM? – Gillian Jun 15 '18 at 15:39
  • 2
    @Gillian What do you mean? A TPM can only detect modified firmware. It can't protect from other physical attacks like a hardware keylogger. – forest Jun 15 '18 at 16:15
  • 1
    Then I fail to see the point of TPM. If you can modify the firmware, why can't you solder a keylogger on the device too? – Gillian Jun 15 '18 at 16:20
  • Do you get what I mean? If you have the means to execute an attack from which TPM can protect you, you implicitly have the means to execute a different kind of attack from which TPM can't protect you. – Gillian Jun 15 '18 at 16:23
  • 2
    @Gillian Because malicious software may modify firmware (e.g. a rootkit)! – forest Jun 15 '18 at 16:29
  • What? Really? How could a rootkit do it? Would you provide me with some materials so that I could educate myself? – Gillian Jun 15 '18 at 16:55
  • Also, if you already have a rootkit with access control privileges high enough to modify the firmware, why would you use it to modify the firmware instead of using it to obtain the information you need? Also, if you really needed to modify the firmware and you did have a rootkit with these privileges, couldn't you exploit TPM too? – Gillian Jun 15 '18 at 17:00
  • You can't exploit the TPM with privileged software, since it is protected in hardware. And a rootkit may want to modify firmware to make itself more persistent and withstand even OS reinstalls, or so it can run in system management mode which makes it harder to detect. – forest Jun 15 '18 at 17:01
  • Is remote TPM hacking impossible? – Gillian Jun 15 '18 at 18:08
  • @Gillian Yes. A TPM has no ability to communicate remotely. "Remote attestation" does not mean the TPM can do this. In fact, it involves the regular operating system communicating remotely as always, and certain data being passed to the TPM by software running on the OS. – forest Jun 15 '18 at 18:10
  • By remote hacking I rather mean that the attacker has a remote access to the computer and wishes to override TPM to make his hack more persistent. Is it really impossible to modify the firmware in a way which would otherwise be possible without TPM? – Gillian Jun 15 '18 at 18:31
  • @Gillian Yes, it is really impossible (excluding bugs in the implementation). The TPM itself is passive. All it does is take measurements of the firmware. If the measurements match what is expected, it will _unseal_ an encrypted blob of data (which can be e.g. an encryption key, or an [ASCII phrase](https://blog.invisiblethings.org/2011/09/07/anti-evil-maid.html) that you know but do not expect the attacker to be able to guess in order to show you). This rests on the TPM being correctly designed, and a part of the BIOS called the CRTM being read-only (which it usually is). – forest Jun 15 '18 at 18:33
  • Thank you @forest for your patience. Here's your well deserved green tick. – Gillian Jun 15 '18 at 18:35
  • Thank you :) And lastly, remember that a TPM isn't magic! It needs software to make use of it. A TPM simply existing isn't useful if you don't have software to take advantage of it. – forest Jun 15 '18 at 18:37
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/78946/discussion-between-gillian-and-forest). – Gillian Jun 15 '18 at 19:24
  • "malicious DRM" is a funny term... isn't DRM malicious by definition? It only exists to prevent the user from doing things he wants to do. – Haukinger Mar 02 '21 at 14:51
  • @Haukinger It is indeed malicious by (any sensible) definition. I called it malicious to emphasize that fact. – forest Mar 07 '21 at 01:30
3

In the section on the bottom, it mentions some criticisms of TPM such as remote validation of software - manufacturer, not the user decides what can be run on the computer

There is a fundamental misunderstanding here.

With remote attestation, the vendor does not decide what software runs on the hardware, but rather what hardware is allowed to run their software.

Remote attestation can be very well (as in my other answer) used or abused:

  • As part of a DRM system
  • To block devices from certain vendors based on political criteria. This is done by whitelisting
  • To implement planned obsolescence, which may be illegal in certain jurisdictions
usr-local-ΕΨΗΕΛΩΝ
  • 5,310
  • 2
  • 17
  • 35
1

Remote attestation is an optional feature.

Remote attestation requires a hardware attestation in order to work. It is currently done in iOS and Android to certify that the device is not rooted by means of certifying the bootloader is locked and enforcing Secure Boot.

There are concerns over remote attestation. These are not related by the technology itself, but from its larger use in the market.

Remote attestation cannot (easily) be used to censor software. It is just one piece of technology that requires a lot of cooperation from multiple software parts.

Remote attestation alone cannot be used from deciding whether you can run a software or not, unless it's a DRM license check. I mean, the OS decides to run applications. If the OS enforces vendor policies, and/or the software implements a framework (eg. SafetyNet) to prevent the software from running on non-certified device, that's not just the presence of the TPM.

Remote attestation is a way to enforce planned obsolescence on hardware, as old devices can be blacklisted over time. But it requires the application/OS vendor to enforce such a policy. And planed obsolescence is even illegal in certain jurisdictions like France.

Remote attestation and TPMs do not prevent developers to build their own open source tool. It does not block you from installin OSS, but perhaps you won't be able to use Netflix app on custom OS.

usr-local-ΕΨΗΕΛΩΝ
  • 5,310
  • 2
  • 17
  • 35
-6

I do not trust intel's TPM at all because it's a closed source system.

I'd rather go for TrueCrypt or anything similar at any time.

I also do not agree to use a system that prevents me from quickly deploying my own boot loaders and my own OSes. Why have to have an 'approval' to be able to use them ? I just want to use them at any time on any compatible hardware.

At this point I find TPM an annoyance at most, that potentially or practically impairs my activity.

In theory you cannot remove a TPM module, but you can disable it from the BIOS/EFI. We have not tested in sufficient MBs if physically removing does harm. A colleague did physically removed a TPM module from a MSI Z68MA-G45 G3 and the MB still functioned correctly, but I am not aware if there were later implications regarding functionality.

Update

Note: Updating your BIOS can make your system lose all data if you use bitlocker encryption.

Note 2: Bitlocker is a too big fail to be worth anything.

Overmind
  • 8,779
  • 3
  • 19
  • 28
  • 9
    You have _completely_ misunderstood what a TPM does and what it is for. It in no way whatsoever prevents you from using your own bootloader or OS. **Secure boot/BootGuard != TPM.** Also, comparing TrueCrypt and a TPM is comparing apples to orangutans. And why in the world would removing a TPM cause harm? It's literally a passive device. – forest Jun 15 '18 at 12:50
  • 1
    Still, if it's soldered on the MB there's a risk to it. – Overmind Jun 19 '18 at 05:20
  • Are TPMs ever actually soldered to the board? This might be the case for very compact laptops or embedded devices, but traditional computers have it plugged into the LPC bus and it is fully removable. On systems where it is soldered on (or epoxied on), the only way you could damage the system by removing it is if you do so incorrectly and end up breaking something. An amateur might break something even if it _is_ removable, simply by damaging sensitive components when rummaging around in the guts of the computer. But is its absence alone dangerous? Not at all. – forest Jun 19 '18 at 05:24
  • Well removing it worked without consequences on the test board I mentioned so your statement is supported. – Overmind Jun 19 '18 at 05:31
  • 1
    `Updating your BIOS can make your system lose all data if you use bitlocker encryption.` In fact, it **must** be suspended prior to upgrading. Upgrading BIOS using a Windows EXE utility supplied by the vendor 99,9% the times disables BitLocker temporarily – usr-local-ΕΨΗΕΛΩΝ Mar 08 '21 at 15:18
  • 1
    If you can instant-disable it and still have your data it means it's not working correctly in the 1st place. – Overmind Mar 16 '21 at 11:39
  • No, it means it allowed you to unlock the system before modifying it. Unless TPM attests the system is safe and allows Windows to load, it's not possible to disable it. – ThoriumBR Mar 18 '22 at 01:36