THE WINDOWS 11 TPM AND GAMING

One of the factors that will affect some miscrants is that the TPM can enforce gaming bans more easily. Several of my friends have VAC bans on their accounts, not sure why but they are perpetual. At present the TPM is used to mange the secure BOOT to protet Windows from malacious attacks.

Rootkits are an example of why secure boot is necessary. Sony was unhappy with the iPod and make the mistake of using a root kit on compact discs. That led to a wave to attacked based on the Sony example. Today Sony has wised up and sells 5 CD box sets galore form several periods and genres.

The gaming community tend to overhaul the motherboard frequently. The X570 with PCIe 4.0 was a great upgrade which eventualy led to the development of very fast boot times with the Samsung 980 PRO SSD.

The outlook for 2022 is for new DDR5 based motherboards. Other features like USB 4.0 and PCIe 5.0 are also of intereest. It is not known how new motherbaords will be configured. Usually the next wave brings more features then the first wave. AMD AM4 adoption of PCIe 4.0 came with the third wave of processors.

The screenshot shows the TPM 2.0 feature of the R5 3600 processor. The obsolete SHA-1 has is disabled in favor of the SHA256 which seems to be less problematic.

The existing X570 is powerful so the move to PCIe 5.0 is more attractive than DDR5. DDR5 will be expensive which is why a lot of coverage for DDR4 based options are seen with upcoming designs. It remains to be seen if the TPM standard is updated to improve the overall security.

Protecting data through encryption and decryption, protecting authentication credentials, and proving which software is running on a system are basic functionalities associated with computer security.

Historically, TPMs have been discrete chips soldered to a computer’s motherboard. Such implementations allow the computer’s original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Although discrete TPM implementations are still common, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips. AMD X570 with the Ryzen 3600 offer separation of secure boot and the TPM which is probably the best approach.

Windows includes a cryptography framework called Cryptographic API: Next Generation (CNG), the basic approach of which is to implement cryptographic algorithms in different ways but with a common application programming interface (API). Applications that use cryptography can use the common API without knowing the details of how an algorithm is implemented much less the algorithm itself.

Windows 8 introduced Measured Boot as a way for the operating system to record the chain of measurements of software components and configuration information in the TPM through the initialization of the Windows operating system. In previous Windows versions, the measurement chain stopped at the Windows Boot Manager component itself, and the measurements in the TPM were not helpful for understanding the starting state of Windows.

The Windows boot process happens in stages and often involves third-party drivers to communicate with vendor-specific hardware or implement antimalware solutions. For software, Measured Boot records measurements of the Windows kernel, Early-Launch Anti-Malware drivers, and boot drivers in the TPM. For configuration settings, Measured Boot records security-relevant information such as signature data that antimalware drivers use and configuration data about Windows security features (e.g., whether BitLocker is on or off).

Measured Boot ensures that TPM measurements fully reflect the starting state of Windows software and configuration settings. If security settings and other protections are set up correctly, they can be trusted to maintain the security of the running operating system thereafter. Other scenarios can use the operating system’s starting state to determine whether the running operating system should be trusted. Using an attestation identity key, the TPM can generate and cryptographically sign a statement (orquote) of the current measurements in the TPM. Windows can create unique attestation identity keys for various scenarios to prevent separate evaluators from collaborating to track the same device. Additional information in the quote is cryptographically scrambled to limit information sharing and better protect privacy. By sending the quote to a remote entity, a device can attest which software and configuration settings were used to boot the device and initialize the operating system. An attestation identity key certificate can provide further assurance that the quote is coming from a real TPM. Remote attestation is the process of recording measurements in the TPM, generating a quote, and sending the quote information to another system that evaluates the measurements to establish trust in a device.

Process to Create Evidence of Boot Software and Configuration Using TPM.

Some Windows improvements help security solutions implement remote attestation scenarios. Microsoft provides a Health Attestation service, which can create attestation identity key certificates for TPMs from different manufacturers as well as parse measured boot information to extract simple security assertions, such as whether BitLocker is on or off. The simple security assertions can be used to evaluate device health.

Mobile device management (MDM) solutions can receive simple security assertions from the Microsoft Health Attestation service for a client without having to deal with the complexity of the quote or the detailed TPM measurements. MDM solutions can act on the security information by quarantining unhealthy devices or blocking access to cloud services such as Microsoft Office 365.

The TPM will be able to store several certificates. These certificates are used with Windows when connecting to SSL encrypted sites. The attestation can be used to secure sessions with remote desktop or with a browser. Banking will be more secure as well with the TPM certificates as the attestation between the bank and the client will be protected. The same applies for the remote employee at the bank who needs to handle customer service calls.

Credential Guard is a new feature in Windows that helps protect Windows credentials in organizations that have deployed AD DS. Historically, a user’s credentials (e.g., logon password) were hashed to generate an authorization token. The user employed the token to access resources that he or she was permitted to use.

One weakness of the token model is that malware that had access to the operating system kernel could look through the computer’s memory and harvest all the access tokens currently in use. The attacker could then use harvested tokens to log on to other machines and collect more credentials. This kind of attack is called a “pass the hash” attack, a malware technique that infects one machine to infect many machines across an organization. The easiest way to circumvent the pass the hash is to use a salted hash for the system. A typical 512-bit salt ensures that the password list is secure.

Similar to the way Microsoft Hyper-V keeps virtual machines (VMs) separate from one another, Credential Guard uses virtualization to isolate the process that hashes credentials in a memory area that the operating system kernel cannot access. This isolated memory area is initialized and protected during the boot process so that components in the larger operating system environment cannot tamper with it. Credential Guard uses the TPM to protect its keys with TPM measurements, so they are accessible only during the boot process step when the separate region is initialized; they are not available for the normal operating system kernel. The local security authority code in the Windows kernel interacts with the isolated memory area by passing in credentials and receiving single-use authorization tokens in return.