the Internet Windows Android
Expand
the main

Functions of the TPM module. Step-by-step guide to the use of TPM services in Windows Vista

Trusted platform module, or TPM (Trusted Platform Module) - this is a separate microchip on system board Computer, which performs a specific range of tasks associated with cryptography and computer protection.

For example, using a TPM cryptoprocessor, you can encrypt the hard disk of the computer. Of course it can do it cPUBut then it will have to perform more tasks, and the encryption speed and decryption will be much lower. Hardware, implemented encryption in the TPM module occurs almost without loss of performance.

Decryption is sometimes incorrectly called deciphering. The difference between them is that when decryption, the algorithm and the secret key are known, which are encrypted data, and when decryption - no.

Also, TPM can protect credentials and check programs running in the system. Prevents infection with rootkats and bokodes (varieties malicious programsthat penetrate the computer before downloading operating system Or hide their presence in the system, and therefore cannot be recognized by the system), following the computer configuration, it is not changed without a user's knowledge.

In addition, each TPM cryptographic module has a unique identifier that is recorded directly in the microcircuit and cannot be changed. Therefore, the cryptociper can be used to authenticate when accessing the network or any application.

TPM can generate persistent encryption keys when required by the operating system (OS).

But before using the TPM module, it must be configured. The module setting is reduced to several simple actions.

  • First, the chip needs to be activated in BIOS Computer (if it is not activated).
  • Secondly, you need to become its owner at the level of the operating system.

Consider these steps in more detail.

1 Turning on the TPM modulein computer BIOS

To enable the module, go to the BIOS and go to the Safety section. Although BIOS can differ significantly on different computersAs a rule, a section with security settings is called "Security". This section should have an option called "Security Chip".

The module may be in three states:

  • Disabled (disabled).
  • Included and not involved (inactive).
  • Enabled and enabled (Active).

In the first case, it will not be visible in the operating system, in the second - it will be visible, but the system will not use it, and in the third - the chip is visible and will be used by the system. Install the "active" state.

Immediately in the settings you can clean the old keys generated by the chip.


TPM cleaning can be useful if you, for example, want to sell your computer. Please note that the keys, you will not be able to restore the data encoded by these keys (if, of course, you encrypt your hard disk).

Now save the changes ("Save and Exit" or the F10 key) and restart the computer.

After downloading the computer, open the Device Manager and make sure that the trusted module appears in the device list. It must be in the section "Security Devices".

2 TPM Module Initializationin Windows.

It remains to initialize the chip in the operating system. To do this, open the TPM module control tool. Press buttons Windows + R. (Follow the "Run" window), enter in the TPM.msc input field and click "Enter". Running equipment will start "Managing a trusted platform module (TPM) on a local computer".

Here, by the way, you can read additional information - What is TPM when it needs to be turned on and off, change password, etc .. A good cycle of articles dedicated to TPM is on the Microsoft website.

On the right side of the accession there is a menu of action. Click "Initialize TPM ...". If this feature is not active, then your chip is already initialized. If it is not initialized, and you do not know the owner password, it is advisable to reset and clean the memory of the module, as described in the previous paragraph.


When the TPM initialization wizard starts, it will be prompted to create a password. Select the option "Automatically Create Password".


The initialization program of the TPM module will generate a password. Save it in the file or print it. Now click "Initialize" and wait a bit.


Upon completion, the program will report on successful module initialization. After completing the initialization, all further steps with a module - shutdown, cleaning, data recovery in case of failures, reset blocking - will be possible only with the help of a password that you just got.


Now the initialization action has become inactive, but it has the ability to disable TPM, change the owner password and reset the module lock, if this happens (the module blocks itself to prevent fraud or attacks).


Actually, this end the capabilities of the TPM module. All further operations that will require the possibility of chip will occur automatically - transparent to the operating system and unnoticed for you. All this must be implemented in software. In more recent operating systems, such as Windows 8 and Windows 10, TPM capabilities are used more widely than in older OS.

Philosophers of the past loved to reason about freedom. "Those who are ready to give their freedom to acquire short-lived protection against danger, no freedom, no security deserve," said Benjamin Franklin. "A person can not be a slave, then free. He or free - or it is not at all, "said Jean-Paul Sartre categorically. "Freedom is required need"The Quote of Benedict Spinoza Marxists.

What is freedom? Is it important to be free, and is he ready to exchange freedom to safety? The reflection on this topic was pushed by the reason not disabled by the general public. In the summer of this year, the Voting of the JTC1 Technical Committee on approval was completed, in the prescribed PAS procedure, the new version of ISO / IEC 11889: 2015, which presented the Trusted Computing Group (TCG) consortium, based on American companies AMD, Cisco, HP, IBM, Intel , Microsoft and Wave Systems. And June 29 in Portland (Oregon) TCG announced that his Trusted Platform Module (TPM) 2.0 standard was finally approved as an international one.

Advantages of TPM.

TPM is the name of the specification describing the cryptographic key in which the cryptographic keys are stored to protect information. It can be said easier: this is an information security module that can be installed in servers, personal computers, Network I. mobile devices. It supports remote certification that provides communication with hardware and computer software.

The module is convenient for copyright holders, as it allows you to check the licensing of software, control the illegal copying of music, movies or computer games. It definitely determines the computer and allows you to authenticate the user. At the same time, TPM makes it possible to generate keys, has hashing functions, generating random numbers.

TPM hardware capabilities are very limited by power and do not allow directly encrypting large amounts of data at high speed. The function of mass encryption of files on disks can be performed by the program. Windows BitLocker.. In this case, the used cryptocluches themselves are encrypted with TPM, which eliminates the likelihood of their theft.

Thus, TPM can encrypt the disk with Windows BitLocker in a bundle, protect the data when losing or stealing the computer, by from modification and damage to viruses, as well as banking and postal programs.

The module is able to confirm the authenticity of the computer and even its performance even before accessing the network. In general, it significantly improves the safety of users, especially those who understand the issues of IB and cannot solve them on their own.

Indeed, TPM thing is an important and useful. Significantly improving user security. But the issue of security price arises. If a person sets a webcam in his home, he improves the safety of his housing. It can all the time remotely control the apartment and cause the police in the event of the appearance of thieves. But if it intercepts the ability to control the webcam, then it can turn into a surveillance device. Collected information about a person - respectively in means of control and management. And in the chamber, though, soon in prison, his apartment itself turns.

Position Germany

The ISO / IEC JTC1 Technical Committee Voting Result was predictable. Almost voted Germany. Russia abstained, however, her voice "against" still did not decide anything. Most supported the position of Americans. The unprecedented action was not helped and the newsletter of the Committee of the Closed Letter from the official representatives of the Federal Ministry of Internal Affairs and the Federal Ministry of Economy and Energy of the Federal Republic of Germany with a request to "bury" the project. Information about this document leaked to German seal and made a lot of noise.

At the state level, the presence of such a letter was refuted by the German authorities, however, something else can be expected from the official power. In the text of the German letter, which is available at the disposal of the editorial office and in the authenticity of which we have no reason to doubt, it is written that "... The specification submitted in the draft standard is not enough to make a decision; In particular, as a result of careful consideration of the issue, we have reason to believe that their implementation can significantly worsen the possibility of managing the protected ICT system, as well as potentially lead to situations of full blocking of the system carried out in the interests of some manufacturers of computing equipment. In addition, we believe that the potential impact of the proposed specifications for the level of confidentiality of personal data and IT security may be very problematic, and we are afraid that this will be contrary to the relevant norms of German legislation. "

At the same time, German IB specialists did not oppose TPM in principle. They were satisfied with the previous TPM 1.2 standard, in which the user left the full control over its platform. The TPM module was easy to disable. In the TPM 2.0 standard, this will not work.

In addition, they have causing the fear of the alignment approach to developing a standard in which only American companies participated. Zeit journalists reported that the German government was trying to participate in the development of TPM 2.0, but received a refusal. They also pointed to the active cooperation of the developers of the United National Academy of Sciences and led the safety assessment TPM 2.0 by independent experts. The publication warned that TPM can be viewed as a backdoor and there is a high probability that access to cryptographic keys has an NB.

Footages and windows

Experts of the German Federal Security Office in information technologies (BSI) alarmed that with the transition to the TPM 2.0 specification, this standard becomes mandatory for all devices under Windows 8.1 and higher, and this function is not subject to deactivation.

In fact, the computer with TPM 2.0 cannot be viewed as a device under full user control. Concerned that Windows 8 with TPM 2.0 can allow Microsoft to control the computer remotely through the built-in black move.

Chinese experts also read about German warning. They investigated the problem, figured out in detail and decided. In May 2014, the Chinese government agency Xinhua reported banning windows installations 8 on government computers. And these are most likely computers belonging not only to the state, but also to the structures that the state is controlled - the largest banks, enterprises of the sphere of IB, telecom, as well as other companies wishing to follow the recommendations of their government.

In another internal document, the BSI received by the German edition says: "Windows 7 can be managed safely until 2020. After that, other solutions should be found to administer IT systems." And on the BSI website it is directly written that the mechanism windows work 8 With TPM 2.0, "can be used for sabotage from third parties" and that experts consider unacceptable application of the new version of TPM by government organizations and objects of a critical infrastructure. So, it seems, the Germans and the Chinese will not rush to update Windows 7 in the public sector even before Windows 8.

Position of Russia

To find out the position of Russia, we turned to experts to the ISO / IEC JTC1 Technical Committee, Russian Aquarius and Kramftvay and Microsoft companies with a request to comment on the seriousness of the concerns of Germany and China regarding the new standard.

Unfortunately, experts or ignored our questions, or stated that they refuse them to respond. The only specialist who agreed to interviews is an independent cybersecurity expert in automated systems Office Vadim Podolic.

What is good and what is dangerous TPM?

TPM, whether it is the most common TPM 1.2 or an introduced TPM 2.0, this is a technological standard promoted by major American companies. In essence, TPM is a separate module that integrates into computers.

Now, in addition to PCs, servers, terminals, network routers, there are still many new components connected to the network. These are controllers for industrial automation, the Internet of things, devices that are responsible for human health are pacemakers, glucometters built in hours ... due to the hacker intervention, they can work falsely or, on the contrary, do not work falsely. TPM confidence modules solve an important task - trust in data, confidence in the system, confirming that it will work correctly.

The idea of \u200b\u200bTPM is correct. There must be standard modules that provide the legal significance of information. The concept itself is as follows: make a module that is difficult to make hackers and to make only a major state. It is like a bill as a method of money protection. There is nothing wrong.

The question is different. In Windows 7 there was the "My Computer" icon. In Windows 10, it is called "this computer". This is not your computer. We impose technologies that will provide our security regardless of whether we want this or not. It seems like the state introduces a dry law and says that now you will not be drunk, as a society needs healthy soldiers. So here.

If your computer captures, then he needs someone for something. It is possible to follow you. If you can not disable this functionality, then this is not a means of protection. This is a passive means of attack. Information collection is a search for a point for an attack. Microsoft selects your computer for your money. She sells you its operating system and take control of you.

Is it possible to check if there are backdoor in the TPM module or not?

You can analyze the standard. But when a computer comes to you, in whose motherboard the TPM module, produced not in the enterprise, which you control, - you do not know what is inside. There can add anything.

But you can add a bookmark to any processor or controller?

Yes of course. And the approach should be the same. In military systems, regulators will never be allowed to apply chip made by an unknown by whom even according to the open standard. Therefore, we have processors "Baikal" and "Elbrus". Russian engineering forces are enough to design your TPM. While we cannot make it in our factories. Like the processor. But we can design, and then check if we did as we needed, or something added there. Such a mechanism will already allow TPM.

And what should we do now, when we do not have your TPM?

TPM analogues used, in many respects performing its role, is hardware modules for trusted loading. They are used even now when TPM appeared on motherboards.

The possibility of modifying the BIOS also appeared, a UEFI technology appeared, a standard that allows you to create trusted loading modules programmatically. In fact, they can accommodate programs that emulate the work of TPM, which is done in many developments. For example, in the SEOS operating system certified by the FSB.

What about the Russian TPM module?

We and now in Russia there are companies that the motherboards are ordered for their projects. For example, "Aquarius", "Korftvay", "T-platforms", MCST and others. Each of them is quite able to design your TPM module. And he will certainly be created soon, with the support of domestic hot cryptographic algorithms. And this is important not only for defense enterprises, but also for broad Circle Consumers obliged to implement the provisions of the Law 152-FZ "On Personal Data".

And why did the Germans acted against TPM 2.0 against the standard?

Very simple. They want to protect their data and technology from the United States. Remember how SUSE Linux appeared? This happened after it turned out that when transferring documents from one Department of the Bundeswehr to another information, first turned out to be in the NC. Then SUSE Linux was created in Germany and the department was transferred to work from this OS.

In Linux, starting from the kernel 3.2, support for TPM 2.0 is also announced. But it can be turned off. And in Windows, it is not above the eight. Windows is a very convenient operating system for the user. She is remarkably thought out. Tens of thousands of programmers are working to ensure that users are comfortable and comfortable. But any change that is forcibly imposed, saying that it is for your safety, strains. Both specialists and officials and government.

In order not to be afraid of TPM, you need to do special research, check and find out if there is something dangerous or not. This is a completely standard procedure. Sometimes it is performed with exit for production. it normal practiceWhen representatives of the country come to the country of the manufacturer and some time is sitting in production, disassembled in processes.

And who will do it?

It may be interesting to large commercial companies. I think some research work in such a format is already going. And this is not interesting to the state, since there are no cryptography there, so there are no existing modules for defense industries.

Is it possible to use computers with TPM in government agencies?

The use of TPM in government agencies is quite complicated. I think that in the following editions, TPM will already have the possibility of cryptoalgorithm substitution. You can already re-flash the BIOS and add your components. So it will be in TPM. As for the current use in the public sector, it is too early to talk about it. But to study the ability of the ability to implement the standard. And it is also necessary to participate in the development of the next version. To be able to sew our cryptography in someone else's TPM.

... In general, the position is understandable. TPM is a new level in security. The state will somehow decide the question of the defense, and the rest will be used by what is. In most cases, TPM will protect (in those protection issues that TPM provides), and they still do not get anyway on the attention of the Big Brother.

The consortium itself, which started as a purely American project, expands. IN currently The TCG includes 11 members in Promoter status (AMD, Cisco, Fujitsu, HP, IBM, INFENION, INTEL, JUNIPER, LENOVO, Microsoft and Wave Systems) and 74 members in the status of CONTRIBUTOR. Japanese and Chinese companies appeared in these lists. But there are still no Russian representatives there.

Freedom or security? The times of existentialists of Sartra and Cami, who chose the "Freedom Roads" and studied free man standing on the verge of "nothing", went into the past along with the past century. Most people chose security. And now argues only about the length of the leash. So for the mass user, the TPM problem does not exist. But the state should not be indifferent to the issue, on whose leash is its state structures. And his citizens too.

Trusted Platform Module.

IN computing technology, Trusted Platform Module. (TPM) - the name of the specification describing the cryptoprocessor in which the cryptographic keys are stored to protect information, as well as the generalized name of the implementation of the specified specification, for example, in the form of "TPM chip" or "TPM security device" (Dell). Used to be called "Chip Fritz" (former Senator Ernest "Fritz" Hollings known for his hot support copyright protection systems for digital information, DRM). The TPM specification has been developed by Trusted Computing Group (English). Current version of the TPM Specification - 1.2 Revision 116, Edition March 3, 2011.

Short review

Trusted Platform Module (TPM), a cryptoprocessor, provides the means of secure creation of encryption keys capable of limiting the use of keys (both for the signature and for encryption / decryption), with the same degree of incompatibility as the random number generator. Also, this module includes the following features: remote certification, binding, and reliable secure storage. Remote Certification creates the connection of hardware, system loading, and host configuration (computer OS), allowing a third party (like a digital music store) to check to software, or music loaded from the store has not been changed or copied by the user (see Tszp). The cryptoprocessor encrypts data in this way that they can only be decrypted on the computer where they were encrypted, running the same software. Binding encrypts data using TPM confirmation key - unique key RSA recorded in the chip in the process of its production, or another key that is trusted.

The TPM module can be used to confirm the authenticity of the hardware. Since each TPM chip is unique for a specific device, it makes it possible to uniquely authenticate the platform. For example, to verify that the system to which access is available is the expected system.

TPM architecture

The following protective algorithms are implemented in the chip architecture:

  • protected memory management,
  • encryption tire and data,
  • active shielding.

Active shielding allows the chip to detect electrical testing and, if necessary, block the chip. In addition, in the manufacture of TPM, non-standard technological steps are used, such as confusing the topology of the IP layer. These measures are significantly complicated by hacking chip, increase the cost of hacking, which leads to a decrease in potential intruders.

Input / output (eng. I / O)

This component controls the stream of information on the bus. Sends messages to the appropriate components. The I / O component enters the access policy associated with TPM functions.

Cryptographic processor

Cryptographic operations inside TPM. These operations include:

  • Generation of asymmetric keys (RSA);
  • Asymmetric encryption / decryption (RSA);
  • Hashing (SHA-1);
  • Generation of random numbers.

TPM uses these possibilities for generating random sequences, generating asymmetric keys, digital signature and privacy of stored data. Also TPM supports symmetrical encryption for internal needs. All stored keys in force must match the RSA key 2048 bits.

Non-volatile memory (eng. Non-volatile storage)

Used to store confirmation key, root key (English Storage Root Key, SRK), authorization data, various flags.

Confirmation key (eng. Endorsement Key, EK)

RSA keys generator (eng. RSA KEY GENERATOR)

Creates a pair of RSA keys. TCG does not impose the minimum requirements for key generating time.

RSA device (eng. RSA Engine)

Used for digital signatures and encryption. There are no restrictions on the implementation of the RSA algorithm. Manufacturers can use Chinese theorem about remnants or any other method. The minimum recommended key length is 2048 bits. The value of open exhibitors must be.

Trusted Platform (Eng. The Trusted Platform)

In TCG systems, roots of trust are components that need to be trusted. A complete set of confidence roots has the minimum functionality necessary to describe the platform, which affects the power of attorney to this platform. There are three trust root: confidence root for measurements (RTM), confidence root for storage (RTS) and confidence root for messages (RTR). RTM is a computing mechanism that produces reliable measurements of the integrity of the platform. RTS is a computing mechanism capable of keeping hashing integrity values. RTR - a mechanism that reliably reports the information stored in RTS. Measurement data describe the properties and characteristics of the measured components. Hasi of these measurements - a "snapshot" of the state of the computer. Their storage is carried out by the functionality of RTS and RTR. Comparing the hash of the measured values \u200b\u200bwith the trusted state of the platform, you can talk about the integrity of the system.

Possible applications

Authentication

TPM can be considered as a token (Security Token) of the next generation authentication. The cryptoprocessor supports authentication and user, and computer, providing access to the network only by authorized users and computers. This can be used, for example, when protecting email based on encryption or signature using digital certificates associated with TPM. Also, the failure of passwords and the use of TPM allows you to create stronger authentication models for wired, wireless and VPN access.

Data protection from theft

This is the main purpose of the "protected container". Self-jointing devices implemented on the basis of the TRUSTED COMPUTING GROUP specifications make the built-in encryption and access control to data. Such devices provide full disk encryption, protecting data when losing or stealing a computer.

Benefits:

  • Performance improvement
Hardware encryption allows you to operate with all the data range without loss of performance.
  • Security amplification
Encryption is always enabled. In addition, the keys are generated inside the device and never leave it.
  • Low cost costs
No modifications of the operating system, applications, etc. are not required. For encryption, the resources of the central processor are not used.

Big perspectives have a bunch of TPM + BitLocker. This solution allows you to transparently from encrypting the entire disk.

Network Access Control (NAC)

TPM can confirm the authenticity of the computer and even its performance even before receiving network access and, if necessary, put a computer into quarantine.

Change protection

Certification of the program code will protect the Games from Cheaterism, and sensitive programs like banking and postal customers - From intentional modification. Immediately, the addition of the "Trojan horse" will be stopped into the Fresh Messenger Installer.

Copy protection

Copy protection is based on such a chain: the program has a certificate that provides it (and only it) access to the decoding key (which is also stored in TPM). This gives protection from copying that cannot be bypassing software.

Sales

Manufacturers

Already more than 300 "000" 000 computers were equipped with a TPM chip. In the future, TPM can be installed on such devices as cell phones. TPM microcontrollers are manufactured by the following companies:

  • Sinosun
  • Nuvoton,

Criticism

Trusted Platform Module is criticized for the name (trust - English. trust. - Always mutual, while the user, the developers of TPM and do not trust) and for infringement of freedom associated with it. For these infringement, the device is often called Treacherous computing ("Treacherous calculations").

Loss of "possession" computer

The computer owner can no longer do anything with him anything, passing part of the rights of software manufacturers. In particular, TPM may interfere (due to errors in software or intentional developer solutions):

  • transfer data to another computer;
  • freely choose software for your computer;
  • process existing data by any available programs.

Loss of anonymity

It suffices to remember the disputes about the identification number of the Pentium III processor to understand what a remotely readable and unchanged computer identifier can cause.

Suppression of competitors

The program that has become the industry leader (as AUTOCAD, Microsoft Word or Adobe Photoshop) can set encryption to its files, making it impossible to access these files through programs of other manufacturers, thus creating a potential threat to free competition in the application for the application software.

Breaking

When TPM breakdown, protected containers are inaccessible, and the data in them is uncommon. TPM is practical only if there is a complex backup system - naturally, to ensure secrecy, it should have its own TPMs.

Hacking

At the Black Hat 2010 computer security conference was announced a hacking of the Infineon SLE66 CL PE chip, manufactured by the TPM specification. This chip is used in computers, equipment satellite communications and gaming consoles. An electronic microscope was used for hacking (worth about $ 70,000). The chip shell was dissolved with acid, the smallest needles were used to intercepted the commands. Infineon argue that they knew about the possibility of physical hacking chip. Borchert (Borchert), vice-president of the company, assured that expensive equipment and technical complexity of hacking does not represent hazards for the overwhelming majority of users of chips.

Information Security: Trusted Platform Module and Red Pill. Part 2.

Article:

From the editorial office of the portal VM GURU: This article of Andrei Lutsenko, an information security specialist, including virtual environments, tells us about the potential vulnerability of many software and hardware complexes from workstations to server systems. In our opinion, the material is unique, interesting and relevant to date for many environments requiring increased attention to information security. We thank Andrei for the valuable material provided. To contact the author, use the section information "".

Using a hypersdraver you can control the work protocols various devices, Moreover, even the devices intended to protect computing systems that have special protection systems from illegal intervention are not only TRM modules, but also various smart cards, all sorts of tokens.

The demo version of the "Red Pill" hypersdrier in the device control is modified, and specific handlers that control the address spaces of the TRM module are hanging on the virtualization platform, while trying to contact these hardware resources, the hyperther registers these events in the dump, the dump can be viewed through a hyperagent .

In addition to registering a hardware event, the address of the command in the software module performs this appeal to the equipment. The hyperagent allows you to view these software modules and, if necessary, save them in the file for further analysis.

The most common softwareBy using the TRM module for storing encryption keys is BitLocker precisely at the work of this program and observes the "Red Pill" hypersdrier in the screenshots below.

The protocol of the work of the Bitquer with the TRM module

Initially, the bitchker (at the OS load stage) uses the BIOS functions to read the key encryption keys from the TRM module, the work goes through the address space of I / O ports.
After loading the OS kernel, the operating system begins to work with the module according to the protocol 1.2., And the exchange of information is exchanged through the MMIO address space.

Protocol activation TRM module (Click to deploy a picture)

Also controlled Administration of the TRM module special windows serviceFor example, the initialization protocol is recorded by a pure TRM module and input the activation key in it. By analogy, you can easily read with the TRM module and other encryption keys, activation, but these are only those keys that the TRM module exchanges from the OS. Keys that do not leave the TRM module, you can read by registering the protocol reserve copy On the external support of the contents of the TRM module.

From the previous text it may seem that this topic Not relevant for our country, since the TRM modules are prohibited for use, and other import tools for information protection are applied only for confidential data.

The basis of the Russian information security is the modules of trusted load (MDZ) of the type "Accord", Sable, etc. In addition, impenetrable disconnection methods local networks From the external lines of Internet access on plans of architects of information security systems, all the risks of external penetration are completely eliminated.

But, " OH GOD"These impenetrable funds of the Russian engineering and administrative thought are easily bypassed by hypers and protection felt on the seams (the protection itself has long been long as such - there is only a multi-million dollar business).

In addition, information security, as the Institute of State Policy, has become a complete fiction, - within the framework of the old Russian saying: "The severity of laws is compensated by the option of their execution."

Specific example:

The use of cryptographics and installations in Russia containing such funds in its composition is possible only on the basis of a license (Decree of the President of the Russian Federation of April 3, 1995), or notifications.

In this model, the manufacturer sets the TRM module on the fee and supplies a laptop to Russia for the note procedure, reporting that this device Disabled by the manufacturer at the production stage:

On the CF-52 board, the TRM Module manufactured by Infineon SLB 9635 TT1.2 is installed

In this expensive and advanced model of the TRM laptop, the Module can be made workable in the operating system with non-speed manipulations with ACPI Tables Bios, which is demonstrated below.

From the above slides, it can be seen that the importer in its notification has risen, and controlling State bodies "Lucky".

Moreover, permission to import allegedly disconnected by TRM modules is a serious threat to the information security of the country, since these allegedly "disconnected" TRM modules are used by systems remote control Computing installations from a laptop to the server inclusive. In systems remote control They are responsible for resolving the remote node to obtain control over the computing installation.

But enough about sad, there is an area in which the technology of hardware virtualization can seriously help. In fact, it is possible if you do not put a cross on viruses, then seriously complicate your life (it is on viruses and not trojans and other rubbish of the exploiting dullness and incompetence of the user).

The description of the hyperdrailer to solve this noble anti-virus task will be given in the next article.

Please Enable JavaScript to View The

Trusted Platform Modules (trusted platform modules) are small chips that serve to protect the data and have been used in computers, consoles, smartphones, tablets and receiver. Currently, TPM chips are equipped with approximately billion devices, and 600 million of them are office PCs.

Since 2001, supporters of the "Conspiracy Theory" began to consider chips as a control tool, allowing to allegedly limit the rights of the User: Theoretically, TPM chips can be used, for example, to limit illegal copying of films and music. However, for the last 12 years there has been no such such case. . Moreover, Windows uses a similar module for secure download and data encryption. hard disk via BitLocker. Thus, TPM provides an advantage in the fight against malicious and theft of data.

Despite all this, the version 2.0 specification has attracted a lot of attention, because now TPM chips are running "by default" (earlier the user needed to activate them independently). Apparently, it will soon be difficult to find on sale without TPM 2.0, since Microsoft has changed the certification criteria for Windows. Since 2015, the TPM 2.0 standard is mandatory for all, otherwise the hardware manufacturer will not receive confirmation of certification.

TPM manager in panel window windows management Displays the status and version of the TPM chip

TPM chip guarantees OS safety

Most. effective way Protection of the system that excludes the possibility of hacker penetration is the use of a TPM hardware chip. It is a small "computer in a computer": a trusted module with your own processor, rAM, storage and I / O interface.

The main task of TPM is to provide the operating system with guaranteed secure services. For example, TPM chips store cryptocluts used to encrypt data on hard disk. In addition, the module confirms the identity of the entire platform and checks the system for the possible intervention of hackers to the operation of hardware. In practice, TPM in tandem with UEFI Secure Boot provides the user with a fully protected and secure process of starting the operating system.

The stage on which is loaded by a third-party developer ( anti-virus scanner), Microsoft indicates both Measured Boot. For the Early Launch Anti-Malware driver, the early launch of the anti-theroneal program) from Microsoft anti-virus developers provides its signature. If it is missing, UEFI interrupts the boot process. The kernel checks anti-virus protection at startup. If the ELAM driver is tested, the kernel recognizes the actual and other drivers. This eliminates the possibility that rootkits will influence the process windows downloads And "take advantage of the situation" when the antivirus scanner is not yet active.

The previous TPM 1.2 Specification used outdated technology with RSA-2048 and SHA-1 encryption algorithms embedded in the hardware (the latter is considered unsafe). Instead of using strictly defined algorithms in TPM chips in version 2.0, symmetric and asymmetric encryption methods can be provided. For example, SHA-2, HMAC, ECC and AES are currently available. In addition, in TPM 2.0 by updating, you can add support for new cryptoalgorithms.


TPM chips generate keys for BitLocker - Windows encryption systems

The key approach has also changed. If earlier two fixed cryptographic keys were involved as a foundation for all offered services, then TPM 2.0 works with very large random numbers - so-called primary. At the same time, the desired keys are generated by means of mathematical functions using the initial numbers as the source data. TPM 2.0 also provides the ability to generate keys only for one-time use.

Did not find an answer to your question? Look at here
How to combine two accounts on Facebook?How to combine two accounts on Facebook?
Download and insert a beautiful framework to Word DocumentDownload and insert a beautiful framework to Word Document
How to fix clock_watchdog_timeout type errorsHow to fix clock_watchdog_timeout type "Blue screen" (0x00000101)