Windows 11: Microsoft explains TPM usage

The previous preliminary versions of Windows 11 can only be installed on desktop PCs, notebooks and tablets that have a Trusted Platform Module (TPM) according to the TPM 2.0 specification. Microsoft security expert David Weston explains in a blog entry what Windows 11 uses TPM 2.0 (or fTPM 2.0) for. Essentially, the TPM should enable so-called “zero trust” concepts.

Weston names four functional areas. Accordingly, the first step is to generally strengthen the security and trustworthiness of the Windows platform. He mentions the concept of virtualization-based security (VBS, virtualization-based security), which can already be used in Windows 10, with the hypervisor-protected code integrity function (HVCI, hypervisor-protected code integrity). A TPM has so far been optional for VBS; according to Microsoft documentation can, however, better protect the TPM key that VBS uses for encryption.

David Weston also mentions Secured-Core PCs with stronger protection against manipulation of the firmware (the UEFI BIOS). As explained in the message “Basic information on the Trusted Platform Module TPM 2.0”, a Dynamic Root of Trust for Measurement (DRTM) that uses the TPM-PCR 17 is used. Weston leaves open whether more protected PC firmware – for example with functions like BootGuard – is one of the “requirements” for PCs with the Windows 11 logo.

TPMs, in combination with the functions of Windows Hello and Windows Hello for Business, should also enable authentication without passwords. So far, TPMs can optionally be integrated into Windows Hello for Business. The TPM use of Windows Hello would be new in Windows 11.

Finally, Weston mentions it TPM support for the cloud function Microsoft Azure Attestation. So let through cryptographic algorithms and hardware trust anchors (root of trust) such as a TPM provide evidence of the existence of certain protective functions and compliance with policies, for example in order to exchange confidential and sensitive data. So it’s about functions for the use of confidential computing in Trusted Execution Environments (TEEs).

Microsoft wants to use additional hardware security functions with Windows 11 in the future. The installation of the “Pluton” safety controller directly in processors and systems-on-chip from AMD, Intel and Qualcomm is planned, which Weston also mentions.

As protection against malware attacks with return or jump-oriented programming (ROP / JOP), Microsoft has been working on hardware-enforced stack protection (e.g. with a Shadow Stack), which in turn use the Control-Flow Enforcement Technology (CET) of new AMD and Intel processors or ARM PAC. But this works independently of a TPM.

It is still unclear whether Microsoft will require a TPM 2.0 for a Windows 11 upgrade. Currently there are only pre-versions of Windows 11, so no final installer. Tinkerers have already found several ways how these preliminary versions can also be installed on hardware without TPM 2.0.

More from c't magazine

More from c't magazine

More from c't magazine

More from c't magazine


To home page