TPM 2.0 is a must - they said, it will improve Windows Security - they said...


neves

Well-known member
Member
VIP
Local time
8:57 AM
Posts
397
OS
Windows 7 SP 16 (or Windows 11 SP 2 or Sun Valley 2)
It's quite ironic to say the least: all this modern features being implemented as a new standard for improved security - while latter on - the same features turn-up to be a the ones which make it vulnerable. As was the case with Intel SGX (Software Guard Extensions) - or maybe it would be more accurate to call it Intel Swiss Cheese - since it's filled with holes...


...and their number is piling up....


And now... it's TPM 2.0 turn - which for Windows 11 is even an oficial requirement:


....🫥
 

My Computer

System One

  • OS
    Windows 7 SP 16 (or Windows 11 SP 2 or Sun Valley 2)
    Computer type
    Laptop
    CPU
    Intel & AMD
    Memory
    SO-DIMM SK Hynix 15.8 GB Dual-Channel DDR4-2666 (2 x 8 GB) 1329MHz (19-19-19-43)
    Graphics Card(s)
    nVidia RTX 2060 6GB Mobile GPU (TU106M)
    Sound Card
    Onbord Realtek ALC1220
    Screen Resolution
    1920 x 1080
    Hard Drives
    1x Samsung PM981 NVMe PCIe M.2 512GB / 1x Seagate Expansion ST1000LM035 1TB
Thanks for the links!
 

My Computers

System One System Two

  • OS
    Windows 11 Professional (x64)
    Computer type
    Laptop
    Manufacturer/Model
    Dell Inc. G16
    CPU
    Intel Core i9
    Motherboard
    Dell Inc. 0FDMYT A00
    Memory
    16 GB
    Graphics Card(s)
    NVIDIA GeForce RTX
    Sound Card
    Realtek(R) Audio
    Monitor(s) Displays
    Generic PnP Monitor (15.3"vis)
    Screen Resolution
    2560 x 1600
    Hard Drives
    4TB SSD
    PSU
    Dell
    Case
    Laptop
    Cooling
    Air
    Keyboard
    Dell
    Mouse
    Logitech
    Internet Speed
    10 Mbps (Dismal, slow DSL over phone line)
    Browser
    Google Chrome
    Antivirus
    Webroot SecureAnywhere
  • Operating System
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell
It's quite ironic to say the least: all this modern features being implemented as a new standard for improved security - while latter on - the same features turn-up to be a the ones which make it vulnerable. As was the case with Intel SGX (Software Guard Extensions) - or maybe it would be more accurate to call it Intel Swiss Cheese - since it's filled with holes...


...and their number is piling up....


And now... it's TPM 2.0 turn - which for Windows 11 is even an oficial requirement:


....🫥
I think TPM hardware these days for security --especially as it's been on computers since probably before 2016 - 7 to 8 years is almost a Geological age in regards to modern computing hardware (and even software) is not the way to go.

TPM for me seems a good thing for Russian hackers --TPM = Total Putin Memorial.

Ms needs to get with it on proper security -- if using hardware don't rely on stuff around 7 years old.

But who am I -- an "Ageing" Old School Engineer in the face of "The Mighty Microsoft".



Cheers
jimbo
 

My Computer

System One

  • OS
    Windows XP,7,10,11 Linux Arch Linux
    Computer type
    PC/Desktop
    CPU
    2 X Intel i7
It's quite ironic to say the least: all this modern features being implemented as a new standard for improved security - while latter on - the same features turn-up to be a the ones which make it vulnerable. As was the case with Intel SGX (Software Guard Extensions) - or maybe it would be more accurate to call it Intel Swiss Cheese - since it's filled with holes...
(y) This
 

My Computer

System One

  • OS
    WIN 11, WIN 10, WIN 8.1, WIN 7 U, WIN 7 PRO, WIN 7 HOME (32 Bit), LINUX MINT
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY, ASUS, and DELL
    CPU
    Intel i7 6900K (octocore) / AMD 3800X (8 core)
    Motherboard
    ASUS X99E-WS USB 3.1
    Memory
    128 GB CORSAIR DOMINATOR PLATINUM (B DIE)
    Graphics Card(s)
    NVIDIA 1070
    Sound Card
    Crystal Sound (onboard)
    Monitor(s) Displays
    single Samsung 30" 4K and 8" aux monitor
    Screen Resolution
    4K and something equally attrocious
    Hard Drives
    A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W

    Ports X, Y, and Z are reserved for USB access and removable drives.

    Drive types consist of the following: Various mechanical hard drives bearing the brand names, Seagate, Toshiba, and Western Digital. Various NVMe drives bearing the brand names Kingston, Intel, Silicon Power, Crucial, Western Digital, and Team Group. Various SATA SSDs bearing various different brand names.

    RAID arrays included:

    LSI RAID 10 (WD Velociraptors) 1115.72 GB
    LSI RAID 10 (WD SSDS) 463.80 GB

    INTEL RAID 0 (KINGSTON HYPER X) System 447.14 GB
    INTEL RAID 1 TOSHIBA ENTERPRIZE class Data 2794.52 GB
    INTEL RAID 1 SEAGATE HYBRID 931.51 GB
    PSU
    SEVERAL. I prefer my Corsair Platinum HX1000i but I also like EVGA power supplies
    Case
    ThermalTake Level 10 GT (among others)
    Cooling
    Noctua is my favorite and I use it in my main. I also own various other coolers. Not a fan of liquid cooling.
    Keyboard
    all kinds.
    Mouse
    all kinds
    Internet Speed
    360 mbps - 1 gbps (depending)
    Browser
    FIREFOX
    Antivirus
    KASPERSKY (no apologies)
    Other Info
    I own too many laptops: A Dell touch screen with Windows 11 and 6 others (not counting the other four laptops I bought for this household.) Being a PC builder I own many desktop PCs as well. I am a father of five providing PCs, laptops, and tablets for all my family, most of which I have modified, rebuilt, or simply built from scratch. I do not own a cell phone, never have, never will.
There's two ways to be affected by this vulnerability:


"An out-of-bounds write vulnerability exists in TPM2.0's Module Library allowing writing of a 2-byte data past the end of TPM2.0 command in the CryptParameterDecryption routine. An attacker who can successfully exploit this vulnerability can lead to denial of service (crashing the TPM chip/process or rendering it unusable) and/or arbitrary code execution in the TPM context."


"An out-of-bounds read vulnerability exists in TPM2.0's Module Library allowing a 2-byte read past the end of a TPM2.0 command in the CryptParameterDecryption routine. An attacker who can successfully exploit this vulnerability can read or access sensitive data stored in the TPM."

Apparently the vulnerabilities were discovered in late 2022 but published (officially acknowledged and made public) only in 28 February 2023. Supposedly, they delayed the announcement - while trying to find a solution (a way to patch the vulnerabilities in question). Which... they also released "in theory..."


Since so far - there's no patch whatsoever in sight. Not by Microsoft, not by any OEM. Lenovo is the only OEM talking/advising about it:


The irony is still laughable - to say the least... Kinda like hiring a "Security" agency to protect your propriety - only to find out latter that their hiring process - doesn't involve a background check - you can even get hired without presenting an ID (by using an alias). This is particularity outrages while taking into account - that Trusted Computing Group was founded by the big 5 (AMD, Hewlett-Packard, IBM, Intel and Microsoft) - also one of the main reason why it's forced into Windows 11 (each of those companies get their shares out TPM 2.0 sold chips).

As for failures like above - this level incompetence is usually emphasised by one word: Nepotism. As in... let's say you finished top of your class as a software dev or engineer at MIT - which... can be enough to get you a job at Microsoft, Intel, AMD, HP, etc...) - BUT... there's a very slim chance that job will involve an impactful position. Maybe 5 or 10 years latter - you'll advance to a position - which can have a bigger saying. Yet, even then - the final world - will come from someone who may have barely finished the same college (with financial aids from parents - bribing teachers and such) - or someone mediocre at best - THO, this supervisor is related (or a good friend) - with someone from the top of the hierarchy at this companies - and that's what got him hired - even advancing to a top tier position. The one in question may be incapable at his job - but among his team there's 1 or 2 who are actually capable - and those are the ones who carry all the weight of a given project - even sabotaged by their supervisor's ignorance - whom still have the final word in making/taking big decisions (like pushing a product - that's still not properly baked). Not to mention - this supervisors will always take the credit - for a good job done by others (while in the same time - shifting all the blame on the other parties - when things go wrong... despite being the ones who pulled the trigger - by pushing some unfinished product).

It's the way of the world, something you'll see (probably most of you already are - at your workplace - if not actually the privileged party) - even in a small company let alone giants. Just my 2 cents.
 

My Computer

System One

  • OS
    Windows 7 SP 16 (or Windows 11 SP 2 or Sun Valley 2)
    Computer type
    Laptop
    CPU
    Intel & AMD
    Memory
    SO-DIMM SK Hynix 15.8 GB Dual-Channel DDR4-2666 (2 x 8 GB) 1329MHz (19-19-19-43)
    Graphics Card(s)
    nVidia RTX 2060 6GB Mobile GPU (TU106M)
    Sound Card
    Onbord Realtek ALC1220
    Screen Resolution
    1920 x 1080
    Hard Drives
    1x Samsung PM981 NVMe PCIe M.2 512GB / 1x Seagate Expansion ST1000LM035 1TB
That is like saying do not use AV, because one virus got through. Nothing is perfect, but that does not mean, that we should give up on everything. There are many security features and each complements the other. Hardware vulnerabilities are hard to fix, because there is like a decade between the manufacturing of the hardware and it's software counterpart (drivers, OS). Still many of those are blown of proportions. For example I have disabled Spectre mitigations, because the chance of getting affected by it are astronomical, yet the fix can lower perfomance by up to 30%. Those attacks will be used in targeted attacks against enterprises, which have other protections.
 

My Computer

System One

  • OS
    Windows 11 Home
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 5 3600 & No fTPM (07/19)
    Motherboard
    MSI B450 TOMAHAWK 7C02v1E & IFX TPM (07/19)
    Memory
    4x 8GB ADATA XPG GAMMIX D10 DDR4 3200MHz CL16
    Graphics Card(s)
    MSI Radeon RX 580 ARMOR 8G OC @48FPS (08/19)
    Sound Card
    Creative Sound Blaster Z (11/16)
    Monitor(s) Displays
    24" AOC G2460VQ6 (01/19)
    Screen Resolution
    1920×1080@75Hz & FreeSync (DisplayPort)
    Hard Drives
    ADATA XPG GAMMIX S11 Pro SSD 512GB (07/19)
    PSU
    Seasonic M12II-520 80 Plus Bronze (11/16)
    Case
    Lian Li PC-7NB & 3x Noctua NF-S12A FLX@700rpm (11/16)
    Cooling
    CPU Cooler Noctua NH-U12S@700rpm (07/19)
    Keyboard
    HP Wired Desktop 320K + Rabalux 76017 Parker (01/24)
    Mouse
    Logitech M330 Silent Plus (04/23)
    Internet Speed
    400/40 Mbps via RouterOS (05/21) & TCP Optimizer
    Browser
    Edge (No FB/Google) & Brave for YouTube & LibreWolf for FB
    Antivirus
    NoAV & Binisoft WFC & NextDNS
    Other Info
    Headphones: Sennheiser RS170 (09/10)
    Phone: Samsung Galaxy Xcover 7 (02/24)
That is like saying do not use AV, because one virus got through. Nothing is perfect, but that does not mean, that we should give up on everything.
This ^^^
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 (Build 22631.3296)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom built
    CPU
    Intel i9-9900K
    Motherboard
    Gigabyte Aorus Z390 Xtreme
    Memory
    32G (4x8) DDR4 Corsair RGB Dominator Platinum (3600Mhz)
    Graphics Card(s)
    Radeon VII
    Sound Card
    Onboard (ESS Sabre HiFi using Realtek drivers)
    Monitor(s) Displays
    NEC PA242w (24 inch)
    Screen Resolution
    1920 x 1200
    Hard Drives
    5 Samsung SSD drives: 2X 970 NVME (512 & 1TB), 3X EVO SATA (2X 2TB, 1X 1TB)
    PSU
    EVGA Super Nova I000 G2 (1000 watt)
    Case
    Cooler Master H500M
    Cooling
    Corsair H115i RGB Platinum
    Keyboard
    Logitech Craft
    Mouse
    Logitech MX Master 3
    Internet Speed
    500mb Download. 11mb Upload
    Browser
    Microsoft Edge Chromium
    Antivirus
    Windows Security
    Other Info
    System used for gaming, photography, music, school.
  • Operating System
    Win 10 Pro 22H2 (build 19045.2130)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom Built
    CPU
    Intel i7-7700K
    Motherboard
    Gigabyte GA-Z270X-GAMING 8
    Memory
    32G (4x8) DDR4 Corsair Dominator Platinum (3333Mhz)
    Graphics card(s)
    AMD Radeon R9 Fury
    Sound Card
    Onboard (Creative Sound Blaster certified ZxRi)
    Monitor(s) Displays
    Dell U2415 (24 inch)
    Screen Resolution
    1920 x 1200
    Hard Drives
    3 Samsung SSD drives: 1x 512gig 950 NVMe drive (OS drive), 1 x 512gig 850 Pro, 1x 256gig 840 Pro.
    PSU
    EVGA Super Nova 1000 P2 (1000 watt)
    Case
    Phantek Enthoo Luxe
    Cooling
    Corsair H100i
    Mouse
    Logitech MX Master
    Keyboard
    Logitech MK 710
    Internet Speed
    100MB
    Browser
    Edge Chromium
    Antivirus
    Windows Security
    Other Info
    This is my backup system.
That is like saying do not use AV, because one virus got through. Nothing is perfect, but that does not mean, that we should give up on everything. There are many security features and each complements the other. Hardware vulnerabilities are hard to fix, because there is like a decade between the manufacturing of the hardware and it's software counterpart (drivers, OS). Still many of those are blown of proportions. For example I have disabled Spectre mitigations, because the chance of getting affected by it are astronomical, yet the fix can lower perfomance by up to 30%. Those attacks will be used in targeted attacks against enterprises, which have other protections.
Admittedly, Spectre is a big problem; but it is an architectural problem. Comparing faulty hardware to software in this regard doesn't pass for an accurate analogy. TPM is also an architectural thing and that is why it is found on the system board and physical cards with TPM can be purchased. One rarely ever hears of one purchasing a VS card to add to their system board. IMO TPM should be optional. (There was a time when it was.)

Ideally, security features compliment each other but evidently, for well over a decade now, things haven't been going so good for TPM, TPM1.2, and TPM 2. Maybe the 'third' time will be a charm? OR, what is more likely, TPM 3 will simply become another marketing gimmick for rendering otherwise perfectly good and healthy system boards "obsolete"much the same way TPM2 has. Let's be honest: Security features are notorious for generating bottlenecks, conflicts, system failures, and down grading over all performance. I'm not suggesting that all security features should be eliminated for this reason but mitigation at the hardware level should not be a 'hit and miss' scenario. Software can be easily re-written and made to work better. It's not so easy with a system board. Not everyone has thousands of dollars to replace a system board and hardware every three years to get the latest and "greatest" version of TPM which has proven itself time-after-time to be not-so-reliable.

Mitigation should be in the CPU itself and the option to shut it off should be in the BIOS and accessible via UEFI if need be. I'm fed up with paying for "protection" to the corporate syndicate only to have them up the anti while their so-called-protection consistently flounders. I feel as though I'm being held hostage to TPM. I'm trying to avoid a chicken or the egg debate here, but I've been watching this hardware vs software finger pointing game for a very long time now and it's starting to look like a big racket.
 

My Computer

System One

  • OS
    WIN 11, WIN 10, WIN 8.1, WIN 7 U, WIN 7 PRO, WIN 7 HOME (32 Bit), LINUX MINT
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY, ASUS, and DELL
    CPU
    Intel i7 6900K (octocore) / AMD 3800X (8 core)
    Motherboard
    ASUS X99E-WS USB 3.1
    Memory
    128 GB CORSAIR DOMINATOR PLATINUM (B DIE)
    Graphics Card(s)
    NVIDIA 1070
    Sound Card
    Crystal Sound (onboard)
    Monitor(s) Displays
    single Samsung 30" 4K and 8" aux monitor
    Screen Resolution
    4K and something equally attrocious
    Hard Drives
    A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W

    Ports X, Y, and Z are reserved for USB access and removable drives.

    Drive types consist of the following: Various mechanical hard drives bearing the brand names, Seagate, Toshiba, and Western Digital. Various NVMe drives bearing the brand names Kingston, Intel, Silicon Power, Crucial, Western Digital, and Team Group. Various SATA SSDs bearing various different brand names.

    RAID arrays included:

    LSI RAID 10 (WD Velociraptors) 1115.72 GB
    LSI RAID 10 (WD SSDS) 463.80 GB

    INTEL RAID 0 (KINGSTON HYPER X) System 447.14 GB
    INTEL RAID 1 TOSHIBA ENTERPRIZE class Data 2794.52 GB
    INTEL RAID 1 SEAGATE HYBRID 931.51 GB
    PSU
    SEVERAL. I prefer my Corsair Platinum HX1000i but I also like EVGA power supplies
    Case
    ThermalTake Level 10 GT (among others)
    Cooling
    Noctua is my favorite and I use it in my main. I also own various other coolers. Not a fan of liquid cooling.
    Keyboard
    all kinds.
    Mouse
    all kinds
    Internet Speed
    360 mbps - 1 gbps (depending)
    Browser
    FIREFOX
    Antivirus
    KASPERSKY (no apologies)
    Other Info
    I own too many laptops: A Dell touch screen with Windows 11 and 6 others (not counting the other four laptops I bought for this household.) Being a PC builder I own many desktop PCs as well. I am a father of five providing PCs, laptops, and tablets for all my family, most of which I have modified, rebuilt, or simply built from scratch. I do not own a cell phone, never have, never will.
Dunno, the 2 vulnerabilities appear to me a huge enough issue to render the TPM 2.0 requirement for W11 pretty much a moot point, i.e. W11 might as well not have the requirement, it wouldn't make a practical difference :eek1:

I am shaking my head in disbelief, how on earth could a consortium of the best security companies in the world have overlooked this issue :look:
 

My Computer

System One

  • OS
    Windows 10 Pro
Dunno, the 2 vulnerabilities appear to me a huge enough issue to render the TPM 2.0 requirement for W11 pretty much a moot point, i.e. W11 might as well not have the requirement, it wouldn't make a practical difference :eek1:

I am shaking my head in disbelief, how on earth could a consortium of the best security companies in the world have overlooked this issue :look:

YES!! Precisely my sentiments as well. Evidently the issue is not the issue because if it really were the issue this wouldn't be an ongoing issue. Methinks the real motive behind Win 11 requiring TPM2 is merely to invalidate those systems that aren't using it. A brilliant marketing strategy when you think of what it means: zero liability for all systems that don't use TPM2, a classic scapegoat for both hardware manufacturers and Windoze to pin the blame on the consumer, plus a massive incentive to go buy new hardware because who wants an obsolete and "unsecured" system? I know I sound like a conspiracy nut here because Windoze would never deceive us and companies like Intel are 100% forthright; but as I stated before, the writing is on the wall and the proof is in the pudding. Verdict: TPM sucks.

Until they can get their stuff together together Windows and the hardware companies need to set this abomination aside. If they must include it then they would do well to include it as an option only and stop trying to make this lame duck mandatory. It's doing more harm than good and it's really messing up productivity. This TPM nonsense is one desperate measure people can do without.
 

My Computer

System One

  • OS
    WIN 11, WIN 10, WIN 8.1, WIN 7 U, WIN 7 PRO, WIN 7 HOME (32 Bit), LINUX MINT
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY, ASUS, and DELL
    CPU
    Intel i7 6900K (octocore) / AMD 3800X (8 core)
    Motherboard
    ASUS X99E-WS USB 3.1
    Memory
    128 GB CORSAIR DOMINATOR PLATINUM (B DIE)
    Graphics Card(s)
    NVIDIA 1070
    Sound Card
    Crystal Sound (onboard)
    Monitor(s) Displays
    single Samsung 30" 4K and 8" aux monitor
    Screen Resolution
    4K and something equally attrocious
    Hard Drives
    A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W

    Ports X, Y, and Z are reserved for USB access and removable drives.

    Drive types consist of the following: Various mechanical hard drives bearing the brand names, Seagate, Toshiba, and Western Digital. Various NVMe drives bearing the brand names Kingston, Intel, Silicon Power, Crucial, Western Digital, and Team Group. Various SATA SSDs bearing various different brand names.

    RAID arrays included:

    LSI RAID 10 (WD Velociraptors) 1115.72 GB
    LSI RAID 10 (WD SSDS) 463.80 GB

    INTEL RAID 0 (KINGSTON HYPER X) System 447.14 GB
    INTEL RAID 1 TOSHIBA ENTERPRIZE class Data 2794.52 GB
    INTEL RAID 1 SEAGATE HYBRID 931.51 GB
    PSU
    SEVERAL. I prefer my Corsair Platinum HX1000i but I also like EVGA power supplies
    Case
    ThermalTake Level 10 GT (among others)
    Cooling
    Noctua is my favorite and I use it in my main. I also own various other coolers. Not a fan of liquid cooling.
    Keyboard
    all kinds.
    Mouse
    all kinds
    Internet Speed
    360 mbps - 1 gbps (depending)
    Browser
    FIREFOX
    Antivirus
    KASPERSKY (no apologies)
    Other Info
    I own too many laptops: A Dell touch screen with Windows 11 and 6 others (not counting the other four laptops I bought for this household.) Being a PC builder I own many desktop PCs as well. I am a father of five providing PCs, laptops, and tablets for all my family, most of which I have modified, rebuilt, or simply built from scratch. I do not own a cell phone, never have, never will.
That is like saying do not use AV, because one virus got through. Nothing is perfect, but that does not mean, that we should give up on everything. There are many security features and each complements the other. Hardware vulnerabilities are hard to fix, because there is like a decade between the manufacturing of the hardware and it's software counterpart (drivers, OS). Still many of those are blown of proportions. For example I have disabled Spectre mitigations, because the chance of getting affected by it are astronomical, yet the fix can lower perfomance by up to 30%. Those attacks will be used in targeted attacks against enterprises, which have other protections.
Coconuts and Oranges. For your comparison to be valid (similar) - same as with TPM - the Antivirus in question would/should compromise your system - basically - a malicious party using the AV to steal or corrupt data on your system. If that would actually happen - the trust in that given AV would be severely crippled (quite hard to recover/repair their reputation after such incident). So, yes - they would loose most of their clients - switching to a different AV. For example: back in 2019 - Avast was in top of the charts in terms of popularity (for a Free AV - that is) - and yet, was enough for them to be caught doing the same thing as Google, Facebook even Microsoft....


And, despite of removing "the spyware feature" - it took them 3 years to wash their name to some extent (to convince security sites - to still include it in their AV recommendations - even if not at the Top - like they used too). At least enough for their AV products - to still be taken into account by enough people (let alone be considered top tier). Tho, it's mainly ignorance that kept it floating - as in: if you look for an AV on Google Play - Avast is listed among the recommendations - with over 100 millions downloads, yet... it's the same number of downloads it had back in 2019. Thus, for most part - it's mainly people whom are unaware of that incident - people who take that high number of downloads into account - who still bother trying it. They also released a new AV since then called "Avast one" - and that one has only 100k downloads. And again, they're only guilty of same harm as the other big companies (who have a thing for spying/telemetry - which was actuality part of their business model). Now imagine - if instead - that AV would compromise your system. How many would still have enough trust in that AV - to still use it in the future.

No to mention... an Antivirus is a software security app - which, if it happen to miss a Virus - it will probably take couple of days (if not the next day or next hours) - to release a definition for it. While TPM 2.0 is a Hardware Chip - where the chip itself is actually vulnerable. And, as mentioned in previous post - this vulnerabilities were discovered in late 2023 - and still not patched almost 3 months latter. As pointed out even by Sophos:

What to do?​

  • Reference implementations aren’t always correct. If you have any hardware or software products of your own that rely on this TPM Library code, you’ll need to patch them. Sadly, the TCG hasn’t yet provided patches to its own code, but has merely described the sort of changes it thinks you should make. If you’re wondering where to start, the libtpms project is a handy place to look, because the developers have already started digging away at the danger-points. (Work your way through at least ExecCommand.c, SessionProcess.c and CryptUtil.c.)
  • If in doubt, ask your hardware vendor for vulnerability information. Lenovo, for example, has already provided some information about products that include TPM code based on the reference implementation, and where to look for security bulletins to quantify your risk.
  • Avoid letting untrusted callers tell you how to manage memory. If you’re passing buffer pointers and sizes into trusted code, make sure you check and sanitise them as much as possible, even if it comes with a performance cost (e.g. copying buffers in controlled ways into memory arranged to suit your own security needs), before processing the commands you’ve been asked to carry out.


Last but not least TPM is forced upon its users. Was never a popular "choice" - quite the opposite... even beyond bugs - it's not exactly a moral option. Yet, forced... "for profit alone (despite of being a failure)".
 

My Computer

System One

  • OS
    Windows 7 SP 16 (or Windows 11 SP 2 or Sun Valley 2)
    Computer type
    Laptop
    CPU
    Intel & AMD
    Memory
    SO-DIMM SK Hynix 15.8 GB Dual-Channel DDR4-2666 (2 x 8 GB) 1329MHz (19-19-19-43)
    Graphics Card(s)
    nVidia RTX 2060 6GB Mobile GPU (TU106M)
    Sound Card
    Onbord Realtek ALC1220
    Screen Resolution
    1920 x 1080
    Hard Drives
    1x Samsung PM981 NVMe PCIe M.2 512GB / 1x Seagate Expansion ST1000LM035 1TB
Dunno, the 2 vulnerabilities appear to me a huge enough issue to render the TPM 2.0 requirement for W11 pretty much a moot point, i.e. W11 might as well not have the requirement, it wouldn't make a practical difference :eek1:

I am shaking my head in disbelief, how on earth could a consortium of the best security companies in the world have overlooked this issue :look:
Nepotism! :poop:

Yet, they'll still keep it around and force it till the end of Windows (on other Operating Systems is only optional) - cause each of its founders...

2023-03-10_153231.png

...get their share of profit - while endorsing it and turning a blind eye. 🤑
 

My Computer

System One

  • OS
    Windows 7 SP 16 (or Windows 11 SP 2 or Sun Valley 2)
    Computer type
    Laptop
    CPU
    Intel & AMD
    Memory
    SO-DIMM SK Hynix 15.8 GB Dual-Channel DDR4-2666 (2 x 8 GB) 1329MHz (19-19-19-43)
    Graphics Card(s)
    nVidia RTX 2060 6GB Mobile GPU (TU106M)
    Sound Card
    Onbord Realtek ALC1220
    Screen Resolution
    1920 x 1080
    Hard Drives
    1x Samsung PM981 NVMe PCIe M.2 512GB / 1x Seagate Expansion ST1000LM035 1TB
Coconuts and Oranges. For your comparison to be valid (similar) - same as with TPM - the Antivirus in question would/should compromise your system - basically - a malicious party using the AV to steal or corrupt data on your system. If that would actually happen - the trust in that given AV would be severely crippled (quite hard to recover/repair their reputation after such incident). So, yes - they would loose most of their clients - switching to a different AV. For example: back in 2019 - Avast was in top of the charts in terms of popularity (for a Free AV - that is) - and yet, was enough for them to be caught doing the same thing as Google, Facebook even Microsoft....


And, despite of removing "the spyware feature" - it took them 3 years to wash their name to some extent (to convince security sites - to still include it in their AV recommendations - even if not at the Top - like they used too). At least enough for their AV products - to still be taken into account by enough people (let alone be considered top tier). Tho, it's mainly ignorance that kept it floating - as in: if you look for an AV on Google Play - Avast is listed among the recommendations - with over 100 millions downloads, yet... it's the same number of downloads it had back in 2019. Thus, for most part - it's mainly people whom are unaware of that incident - people who take that high number of downloads into account - who still bother trying it. They also released a new AV since then called "Avast one" - and that one has only 100k downloads. And again, they're only guilty of same harm as the other big companies (who have a thing for spying/telemetry - which was actuality part of their business model). Now imagine - if instead - that AV would compromise your system. How many would still have enough trust in that AV - to still use it in the future.

No to mention... an Antivirus is a software security app - which, if it happen to miss a Virus - it will probably take couple of days (if not the next day or next hours) - to release a definition for it. While TPM 2.0 is a Hardware Chip - where the chip itself is actually vulnerable. And, as mentioned in previous post - this vulnerabilities were discovered in late 2023 - and still not patched almost 3 months latter. As pointed out even by Sophos:

What to do?​

  • Reference implementations aren’t always correct. If you have any hardware or software products of your own that rely on this TPM Library code, you’ll need to patch them. Sadly, the TCG hasn’t yet provided patches to its own code, but has merely described the sort of changes it thinks you should make. If you’re wondering where to start, the libtpms project is a handy place to look, because the developers have already started digging away at the danger-points. (Work your way through at least ExecCommand.c, SessionProcess.c and CryptUtil.c.)
  • If in doubt, ask your hardware vendor for vulnerability information. Lenovo, for example, has already provided some information about products that include TPM code based on the reference implementation, and where to look for security bulletins to quantify your risk.
  • Avoid letting untrusted callers tell you how to manage memory. If you’re passing buffer pointers and sizes into trusted code, make sure you check and sanitise them as much as possible, even if it comes with a performance cost (e.g. copying buffers in controlled ways into memory arranged to suit your own security needs), before processing the commands you’ve been asked to carry out.


Last but not least TPM is forced upon its users. Was never a popular "choice" - quite the opposite... even beyond bugs - it's not exactly a moral option. Yet, forced... "for profit alone (despite of being a failure)".
Hi there

TPM - devices been around since around 2016 (TPMV2) or even earlier (TPM V1.2) so why this is a mandatory choice for latest W11 security baffles anybody even remotely interested in hardware development and security. Hardware around 8 years old is by computing standards a Geological age. We all want better security but "Classical TPM" isn't the way to do it.

However political rants against Ms isn't the solution -- they really aren't "The Evil Empire" as a load of people think they are. -=-Nor is this comment from a load of Press about President Biden --I'm actually 100% neutral about almost everything in US Politics - apart from their dreadful gun control (or lack of it) - but that's up to the electors. I suspect a few here from Texas might disagree with me on that one though. !!

I doubt whether the USA really wants to "Sign the death warrant" on Freedom" - many countries are infinitely worse.

Screenshot_20230310_134346.png



cheers
jimbo
 

My Computer

System One

  • OS
    Windows XP,7,10,11 Linux Arch Linux
    Computer type
    PC/Desktop
    CPU
    2 X Intel i7
I think what likely happened is that everyone in the consortium relied on everyone else that such obvious buffer overflow issues have 'of course' been carefully looked at.
 

My Computer

System One

  • OS
    Windows 10 Pro
Hi there

TPM - devices been around since around 2016 (TPMV2) or even earlier (TPM V1.2) so why this is a mandatory choice for latest W11 security baffles anybody even remotely interested in hardware development and security. Hardware around 8 years old is by computing standards a Geological age. We all want better security but "Classical TPM" isn't the way to do it.

However political rants against Ms isn't the solution -- they really aren't "The Evil Empire" as a load of people think they are. -=-Nor is this comment from a load of Press about President Biden --I'm actually 100% neutral about almost everything in US Politics - apart from their dreadful gun control (or lack of it) - but that's up to the electors. I suspect a few here from Texas might disagree with me on that one though. !!

I doubt whether the USA really wants to "Sign the death warrant" on Freedom" - many countries are infinitely worse.

View attachment 54801



cheers
jimbo
That's just it TPM should have been a thing of the past - but it's still pushed "as a business move". As in... every TPM chip integrated and sold = extra financial gains for those who profit of making/releasing this "outdated & unreliable chips". If TPM was "Optional (as it is on Linux Distros)" - would have probably died by now. Bust since Microsoft - is even enforcing it as an "oficial" requirement - ALL the OEM who want to sell their stuff in 2023 feel compelled to still buy and use this chip with their products (in one way or the other).

That's not to say that Microsoft is Evil (i'm to old for such a term - imbued with ignorance), after all - even Hitler wasn't truly Evil, or Stalin, Mao Zedong, Putin, Trump, Jen-Hsun Huang and so on and so forth... They were/are just humans - with some mental issues (similar to millions of others) - in a "position of power" which they abused/abuse to feed their inner hunger/lackings/chaos or greed. As Jen-Hsun Huang the CEO of nVidia used to say - without an ounce of shame...


Same goes for whoever is taking this top decisions at Microsoft. It's a business... they're trying to max out their profits "however they can" - even that move does not benefit the user (or even has negative impact). You don't make billions of $ by having a moral compass or strong principles (every billionaire has this trait in common). And Bill Gates & his history with Microsoft - is a solid statement in this regard: a stolen idea + top tier marketing and a great sense of business (i give him that) = Microsoft & Windows. Again, BG's moves may be machiavellian - while taking his past into account (retrospective). But, his success is probably less than 20% related to software. And around 80% related to marketing & his sense of business (advertising upon advertising + making connection upon connections). When i was young (and naive) - i used to think it's DirectX and Gaming what made Windows so popular. It's not, quite the opposite... it's cause Windows became so popular (curtosy of BG, his marketing team and business partners - so hey - i am giving credit where credit is due) - most devs from every major Gaming company "felt compelled" - to learn DX and make games for Windows. While further on.... it's also why DirectX of developers kept getting bigger and bigger looking for ways of improve it - till Windows became the most popular gaming OS for PC. That being said... no, i'm not saying that Windows or Microsoft is mainly represented by greed. It's a HUGE company with huge team so - the greedy side is just small part of that. Tho, it is part of the head of Microsoft - so quite impactful - even having the last word. If you're to talking with 90% of Windows Devs (and they'd be honest about it - not afraid to loose their job and such) - the majority would probably be against TPM. And this people are the core of Windows, yet... it's not up to them. Like every other major company - they're compelled to follow the lead of a supervisor (be it a correct move or not - even immoral if you will) and work with what they got or... find another job. This is the way the corporate world (can also apply to small firms - some people will abuse whatever power they get).

So hey, repeat after me: The more you buy... the more you save! Once again... the more you buy... the more you save. Brainwashing is repetition - so again.... the more you buy?! The more you save! And again... The more you buy! The more you save! We should turn this into a song: The More You Buy! The More You Save! The More You Buy! The More You Save! Do it again now...:dizzy:
 

My Computer

System One

  • OS
    Windows 7 SP 16 (or Windows 11 SP 2 or Sun Valley 2)
    Computer type
    Laptop
    CPU
    Intel & AMD
    Memory
    SO-DIMM SK Hynix 15.8 GB Dual-Channel DDR4-2666 (2 x 8 GB) 1329MHz (19-19-19-43)
    Graphics Card(s)
    nVidia RTX 2060 6GB Mobile GPU (TU106M)
    Sound Card
    Onbord Realtek ALC1220
    Screen Resolution
    1920 x 1080
    Hard Drives
    1x Samsung PM981 NVMe PCIe M.2 512GB / 1x Seagate Expansion ST1000LM035 1TB
I think what likely happened is that everyone in the consortium relied on everyone else that such obvious buffer overflow issues have 'of course' been carefully looked at.
Just like OpenSSL. Everyone considered it to be safe (open source), yet the bug was discovered after 16 years, by an accident!
 

My Computer

System One

  • OS
    Windows 11 Home
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 5 3600 & No fTPM (07/19)
    Motherboard
    MSI B450 TOMAHAWK 7C02v1E & IFX TPM (07/19)
    Memory
    4x 8GB ADATA XPG GAMMIX D10 DDR4 3200MHz CL16
    Graphics Card(s)
    MSI Radeon RX 580 ARMOR 8G OC @48FPS (08/19)
    Sound Card
    Creative Sound Blaster Z (11/16)
    Monitor(s) Displays
    24" AOC G2460VQ6 (01/19)
    Screen Resolution
    1920×1080@75Hz & FreeSync (DisplayPort)
    Hard Drives
    ADATA XPG GAMMIX S11 Pro SSD 512GB (07/19)
    PSU
    Seasonic M12II-520 80 Plus Bronze (11/16)
    Case
    Lian Li PC-7NB & 3x Noctua NF-S12A FLX@700rpm (11/16)
    Cooling
    CPU Cooler Noctua NH-U12S@700rpm (07/19)
    Keyboard
    HP Wired Desktop 320K + Rabalux 76017 Parker (01/24)
    Mouse
    Logitech M330 Silent Plus (04/23)
    Internet Speed
    400/40 Mbps via RouterOS (05/21) & TCP Optimizer
    Browser
    Edge (No FB/Google) & Brave for YouTube & LibreWolf for FB
    Antivirus
    NoAV & Binisoft WFC & NextDNS
    Other Info
    Headphones: Sennheiser RS170 (09/10)
    Phone: Samsung Galaxy Xcover 7 (02/24)
The irony is still laughable - to say the least... Kinda like hiring a "Security" agency to protect your propriety - only to find out latter that their hiring process - doesn't involve a background check - you can even get hired without presenting an ID (by using an alias). This is particularity outrages while taking into account - that Trusted Computing Group was founded by the big 5 (AMD, Hewlett-Packard, IBM, Intel and Microsoft) - also one of the main reason why it's forced into Windows 11 (each of those companies get their shares out TPM 2.0 sold chips).

You gotta buy them burgers to go with the chips! :wink:
 
Last edited:

My Computer

System One

  • OS
    WIN 11, WIN 10, WIN 8.1, WIN 7 U, WIN 7 PRO, WIN 7 HOME (32 Bit), LINUX MINT
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY, ASUS, and DELL
    CPU
    Intel i7 6900K (octocore) / AMD 3800X (8 core)
    Motherboard
    ASUS X99E-WS USB 3.1
    Memory
    128 GB CORSAIR DOMINATOR PLATINUM (B DIE)
    Graphics Card(s)
    NVIDIA 1070
    Sound Card
    Crystal Sound (onboard)
    Monitor(s) Displays
    single Samsung 30" 4K and 8" aux monitor
    Screen Resolution
    4K and something equally attrocious
    Hard Drives
    A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W

    Ports X, Y, and Z are reserved for USB access and removable drives.

    Drive types consist of the following: Various mechanical hard drives bearing the brand names, Seagate, Toshiba, and Western Digital. Various NVMe drives bearing the brand names Kingston, Intel, Silicon Power, Crucial, Western Digital, and Team Group. Various SATA SSDs bearing various different brand names.

    RAID arrays included:

    LSI RAID 10 (WD Velociraptors) 1115.72 GB
    LSI RAID 10 (WD SSDS) 463.80 GB

    INTEL RAID 0 (KINGSTON HYPER X) System 447.14 GB
    INTEL RAID 1 TOSHIBA ENTERPRIZE class Data 2794.52 GB
    INTEL RAID 1 SEAGATE HYBRID 931.51 GB
    PSU
    SEVERAL. I prefer my Corsair Platinum HX1000i but I also like EVGA power supplies
    Case
    ThermalTake Level 10 GT (among others)
    Cooling
    Noctua is my favorite and I use it in my main. I also own various other coolers. Not a fan of liquid cooling.
    Keyboard
    all kinds.
    Mouse
    all kinds
    Internet Speed
    360 mbps - 1 gbps (depending)
    Browser
    FIREFOX
    Antivirus
    KASPERSKY (no apologies)
    Other Info
    I own too many laptops: A Dell touch screen with Windows 11 and 6 others (not counting the other four laptops I bought for this household.) Being a PC builder I own many desktop PCs as well. I am a father of five providing PCs, laptops, and tablets for all my family, most of which I have modified, rebuilt, or simply built from scratch. I do not own a cell phone, never have, never will.
But the whole point is surely that using a hardware device designed and barely changed since 2016 or earlier as a basis for "strengthed security" is just so much B/S -- In any case how much extra security does the standard "Mom and Pop" (non corporate) windowstoday really need.

The main issue today with these types of systems isn't hackers getting at the OS or injecting some eseoteric malware into a part of the CPU that 99.9999% of people have never heard of but in their being scammed and things like identity heft. It's very difficult to stop scams via software -- a lot of it would need to be done by really sophisticated A.I and even at current rate of development this is still years off.

Standard Windows security is more than adequate for most (non corporate / enterprise) users. Anything else is just bonkers, overhype and overkill.

As for "Ethical" businesses not making money -- that's not actually true these days. I'm not sure how you would rate a coffee shop selling (by my standards) a vile "vegan friendly" coffee with goodness knows what vile cows milk alternatives at 9 EUR a cup !!!! but presumably that type of business is probably coining it for example - even if arguably a better environment for the planet in sourcing its products than a more traditional venue. As for coffee you can't beat a double expresso (Italian style of course) at a much less wallet busting price of EUR 0.95 including a glass of iced water .

@Scannerman -- for you !!!

As for Security monitoring --especially when done by "security experts" -- remember "Quis custodiet ipsos custodes " -- Who guards the Guards.


Cheers
jimbo
 

My Computer

System One

  • OS
    Windows XP,7,10,11 Linux Arch Linux
    Computer type
    PC/Desktop
    CPU
    2 X Intel i7
But the whole point is surely that using a hardware device designed and barely changed since 2016 or earlier as a basis for "strengthed security" is just so much B/S -- In any case how much extra security does the standard "Mom and Pop" (non corporate) windows today really need.

The main issue today with these types of systems isn't hackers getting at the OS or injecting some eseoteric malware into a part of the CPU that 99.9999% of people have never heard of but in their being scammed and things like identity heft. It's very difficult to stop scams via software -- a lot of it would need to be done by really sophisticated A.I and even at current rate of development this is still years off.

Standard Windows security is more than adequate for most (non corporate / enterprise) users. Anything else is just bonkers, overhype and overkill.

As for "Ethical" businesses not making money -- that's not actually true these days. I'm not sure how you would rate a coffee shop selling (by my standards) a vile "vegan friendly" coffee with goodness knows what vile cows milk alternatives at 9 EUR a cup !!!! but presumably that type of business is probably coining it for example - even if arguably a better environment for the planet in sourcing its products than a more traditional venue. As for coffee you can't beat a double expresso (Italian style of course) at a much less wallet busting price of EUR 0.95 including a glass of iced water .

@Scannerman -- for you !!!

As for Security monitoring --especially when done by "security experts" -- remember "Quis custodiet ipsos custodes " -- Who guards the Guards.


Cheers
jimbo
Reminds me of an old Don Martin's Spy vs Spy comic. (But I digress.) TPM is well over a decade old. If they haven't got the wrinkles worked out of it by now then they never will. It's time to scrap the consortium and come up with a better idea. That is to say, if they're really so dedicated to security at the domestic end user level. Personally, I'm not so convinced that they are. I think these corporate fat boiz are simply just very dedicated to finding new ways of generating bigger profits to keep shareholders happy. Security is secondary. The matter is psychological and it's tried and tested. Security sells. After all who wouldn't trade their personal autonomy for a little more "security"? Even if it's imaginary it makes for a great selling feature. Anyone arguing otherwise has a huge historical track record to refute.

TPM is old and dated and TPM2 is just a patched up rework of the same sinking ship that consistently keeps producing new leaks and generating new headaches. I wonder how many more features Intel is going to have to scrap just to dance to this tune, features that were tried and tested, features that were proven to work well without TPM.

"Trusted Platform Module (TPM) was conceived by a computer industry consortium called Trusted Computing Group (TCG). It evolved into TPM Main Specification Version 1.2 which was standardized by International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) in 2009 as ISO/IEC 11889:2009.[4] TPM Main Specification Version 1.2 was finalized on March 3, 2011, completing its revision." - Trusted Platform Module - Wikipedia

It's old. It's dated. TPM needs to RIP with IDE.

How ironic that they're using an old and outdated idea to render newer hardware obsolete and unusable! What a glorious marketing strategy! :winkt:
 

My Computer

System One

  • OS
    WIN 11, WIN 10, WIN 8.1, WIN 7 U, WIN 7 PRO, WIN 7 HOME (32 Bit), LINUX MINT
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY, ASUS, and DELL
    CPU
    Intel i7 6900K (octocore) / AMD 3800X (8 core)
    Motherboard
    ASUS X99E-WS USB 3.1
    Memory
    128 GB CORSAIR DOMINATOR PLATINUM (B DIE)
    Graphics Card(s)
    NVIDIA 1070
    Sound Card
    Crystal Sound (onboard)
    Monitor(s) Displays
    single Samsung 30" 4K and 8" aux monitor
    Screen Resolution
    4K and something equally attrocious
    Hard Drives
    A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W

    Ports X, Y, and Z are reserved for USB access and removable drives.

    Drive types consist of the following: Various mechanical hard drives bearing the brand names, Seagate, Toshiba, and Western Digital. Various NVMe drives bearing the brand names Kingston, Intel, Silicon Power, Crucial, Western Digital, and Team Group. Various SATA SSDs bearing various different brand names.

    RAID arrays included:

    LSI RAID 10 (WD Velociraptors) 1115.72 GB
    LSI RAID 10 (WD SSDS) 463.80 GB

    INTEL RAID 0 (KINGSTON HYPER X) System 447.14 GB
    INTEL RAID 1 TOSHIBA ENTERPRIZE class Data 2794.52 GB
    INTEL RAID 1 SEAGATE HYBRID 931.51 GB
    PSU
    SEVERAL. I prefer my Corsair Platinum HX1000i but I also like EVGA power supplies
    Case
    ThermalTake Level 10 GT (among others)
    Cooling
    Noctua is my favorite and I use it in my main. I also own various other coolers. Not a fan of liquid cooling.
    Keyboard
    all kinds.
    Mouse
    all kinds
    Internet Speed
    360 mbps - 1 gbps (depending)
    Browser
    FIREFOX
    Antivirus
    KASPERSKY (no apologies)
    Other Info
    I own too many laptops: A Dell touch screen with Windows 11 and 6 others (not counting the other four laptops I bought for this household.) Being a PC builder I own many desktop PCs as well. I am a father of five providing PCs, laptops, and tablets for all my family, most of which I have modified, rebuilt, or simply built from scratch. I do not own a cell phone, never have, never will.
I do agree with the sentiments of this thread, the problem with using hardware as a means of security mitigation is that its often not patchable, so if it gets exploited then the hardware becomes obsolete, add that this consortium is a bunch of companies that make money from hardware sales you can see the obvious problem.

There is so many obvious security issues within Windows (default accounts admin, svchost system, apps been stored in writable user data area %userprofile%, versioned program paths making firewall rules and path based security harder to manage. firewall allowing all outbound by default, SRP/applocker off by default, the list goes on), it feels like they targeting the wrong areas and ultimately TPM has limited benefits.
 

My Computer

System One

  • OS
    Windows 10
    Computer type
    PC/Desktop
    CPU
    9900k
    Motherboard
    Asrock Fatality K6 Z370
    Memory
    32 Gig 3200CL12
    Graphics Card(s)
    Nvidia 3800 RTX
    Sound Card
    Asus Xonar D2X
    Monitor(s) Displays
    LG 27GL850
    Screen Resolution
    2560x1440
    Hard Drives
    970 EVO 1TB
    860 EVO 1TB
    3 x 3TB WD Red
    2 x 4TB WD Red
    PSU
    Antec HCG 750
    Case
    Fractal Define R4
    Cooling
    Noctua NH-D15S
    Internet Speed
    80/20
    Antivirus
    Windows Defender

Latest Support Threads

Back
Top Bottom