Certain "Special Purpose Systems" Variants of Windows 11 Ship Without the TPM 2.0 Requirement

[btarunr]

Perhaps the most controversial system requirement of the upcoming Windows 11 operating system is the need for a hardware trusted platform module that meets TPM 2.0 specs. Most modern computers fulfill this requirement using fTPM (firmware TPM) solutions built into their processors; and those that don't, have TPM headers for add-on TPMs, which scalpers have their eye on. It turns out, that Microsoft is designing special variants of Windows 11 for special contracts Microsoft will execute.

Computers sold under the scheme will be marked "special purpose systems," and the Windows 11 version running them will do away with the TPM 2.0 requirement. These systems are very likely to be Government or Military; or perhaps even variants Microsoft exports to countries like China and Russia, which have their own specialized cybersecurity policies and dictate software to be written a certain way to be sold in the country.



View at TechPowerUp Main Site

 

[Space Lynx]

If only they would allow 7th gen Intel CPU's... sigh. M$ is so smart... like when they fail security in-house... lol

A driver containing rootkit malware was certified by Microsoft

"Microsoft is investigating a malicious actor distributing malicious drivers within gaming environments."

www.pcgamer.com

 

[BSim500]

Reminds me of how Intel CPU's include that secretive ME (Remote Management Engine) embedded 2nd micro-processor, whilst PC's designed for High Assurance Platform (government purposes) get the ability to turn the "security feature" off for... security reasons...

 

[Zubasa]

If only they would allow 7th gen Intel CPU's... sigh. M$ is so smart... like when they fail security in-house... lol

A driver containing rootkit malware was certified by Microsoft

"Microsoft is investigating a malicious actor distributing malicious drivers within gaming environments."

www.pcgamer.com

Fun fact, many of the 8th gen U-series cpus are supported and those are Kaby Lake R.
Meanwhile the 7900X from Q2 2017 is not supported while Xeon 8180 from Q3 is. Both of these being Skylake.
Microsoft literally drew a line in the sand at around mid 2017.

 

[TheLostSwede]

This is related to countries that don't allow certain "foreign" crypto technology or that are on lists that ban export of such technology to said countries.

 

[Mysteoa]

Fun fact, many of the 8th gen U-series cpus are supported and those are Kaby Lake R.
Meanwhile the 7900X from Q2 2017 is not supported while Xeon 8180 from 3 is. Microsoft literally drew a line in the sand at around mid 2017.

Same as Ryzen 1000 not been support while 2000 series is, and it's the same cpus

 

[Caring1]

Reminds me of how Intel CPU's include that secretive ME (Remote Management Engine) embedded 2nd micro-processor, whilst PC's designed for High Assurance Platform (government purposes) get the ability to turn the "security feature" off for... security reasons...

Some consumer motherboards have an option to disable the M.E.
I know mine does and it is disabled.

 

[ZoneDymo]

Fun fact, many of the 8th gen U-series cpus are supported and those are Kaby Lake R.
Meanwhile the 7900X from Q2 2017 is not supported while Xeon 8180 from Q3 is. Both of these being Skylake.
Microsoft literally drew a line in the sand at around mid 2017.

well...not literally, but we get your point

 

[DeathtoGnomes]

m$ does it again, think they know whats best for everyone and forces you to buy into it.

 

[R-T-B]

Some consumer motherboards have an option to disable the M.E.
I know mine does and it is disabled.

Reminds me of how Intel CPU's include that secretive ME (Remote Management Engine) embedded 2nd micro-processor, whilst PC's designed for High Assurance Platform (government purposes) get the ability to turn the "security feature" off for... security reasons...

HAP bit is literally present on every ME ever made. There just isn't neccesarily a bios menu option for it, but it can still be toggled.

It's also not a "second processor." It's your same processor, running code with above admin level priviledges.

 

[Chrispy_]

....and there we go, this was inevitable. Of course the first official offering from Microsoft to the public will be full of false caveats and requirements to entice trick users into using a Microsoft account and giving Microsoft even more hardware authority over a system than they already have. The TPM 'requirement' is just stronger identification and control of your OS license and despite TPM having beneficial security uses for a user, its only real high-profile press coverage so far been (ab)use by OEMs taking advantage of the "trust" in TPM to push their own software/firmware without requiring user consent.

So many people are still using older systems that don't have TPM built in and Microsoft doesn't want to lose those users so W11 variants without the draconian requirements weren't just expected, they are practically guaranteed.

You may have to jump through some hoops to legally obtain these versions, just like you had to for the old LTSB licenses. However, the ole' Mary Celeste will still no doubt be a backup for people with ethics as shady as Microsoft's.

 

[freeagent]

I can see this turning into a real shit show pretty quick..

 

[SirB]

I'm loving windows 11 !! On dev mode. Took less than 5 minutes today. So far ,so good.
Seamless upgrade from existing W/10 install . Way to go MS.

 

[ozzyozzy]

Windows 11: TPMs and Digital Sovereignty

The problem with enforcing TPMs on consumers

secret.club

 

[Chrispy_]

Windows 11: TPMs and Digital Sovereignty

The problem with enforcing TPMs on consumers

secret.club

I knew TPM was more bad than good and has been abused multiple times by OEMs in the past, but I didn't consider that it'll be used as DRM against you.... :\

 

[ncrs]

It's also not a "second processor." It's your same processor, running code with above admin level priviledges.

It is a second processor. It always has been. It lives in the chipset and since Skylake is also a x86.
From Wikipedia:

The Intel Management Engine (ME), also known as the Intel Manageability Engine,[1][2] is an autonomous subsystem that has been incorporated in virtually all of Intel's processor chipsets since 2008.[1][3][4] It is located in the Platform Controller Hub of modern Intel motherboards.

 

[R-T-B]

It is a second processor. It always has been. It lives in the chipset and since Skylake is also a x86.
From Wikipedia:

It used to be a seperate arc core on the chipset but it hasn't been since X58, when it both became x86, minix based, and on your general cpu. Keep in mind, I'm one of the chief researchers in the effort to disable the Intel ME in firmware, so I know a lot more than wikipedia.

 

[ncrs]

It used to be a seperate arc core on the chipset but it hasn't been since X58, when it both became x86, minix based, and on your general cpu. Keep in mind, I'm one of the chief researchers in the effort to disable the Intel ME in firmware, so I know a lot more than wikipedia.

And yet what you wrote is wrong, because ME was never located on the CPU itself. Obviously Intel themselves are wrong about where they put it:

Also how come AMT is functional with the CPU not in the socket?

 

[R-T-B]

Also how come AMT is functional with the CPU not in the socket?

AMT is a vPro technology which does feature a chipset coprocessor. It is somewhat seperate from the core Intel ME suite but interacts with it fully. And interestingly, all modern chipsets do have this coprocessor, but it is off by default in consumer SKUs. You can toggle it on with some hackery to the image but I don't really desire out of band management.

I know what Intel says but I've been through the minix binaries and it's quite clear where the core ME binaries (as well as the watchdog) run.

Intel also claimed for years the HAP bit was non-existant. They aren't beyond telling what is in generous terms, a simplified version of the truth.

Fun fact while we are at it: their RAID solution is run on your primary cpu, too.

 

[ncrs]

AMT is a vPro technology which does feature a chipset coprocessor. It is somewhat seperate from the core Intel ME suite but interacts with it fully. And interestingly, all modern chipsets do have this coprocessor, but it is off by default in consumer SKUs. You can toggle it on with some hackery to the image but I don't really desire out of band management.

I know what Intel says but I've been through the minix binaries and it's quite clear where the core ME binaries (as well as the watchdog) run.

Intel also claimed for years the HAP bit was non-existant. They aren't beyond telling what is in generous terms, a simplified version of the truth.

Fun fact while we are at it: their RAID solution is run on your primary cpu, too.

You are aware that what you wrote has no sources other than: trust me bro.
You claim to be a researcher, why haven't you edited the wikipedia article citing your published papers yet? What you wrote directly contradicts it, and Intel's documentation. This is a genuine question, not mockery.

 

[R-T-B]

You are aware that what you wrote has no sources other than: trust me bro.

Yes. I no longer work on this (am employed elsewhere now) but people on this forum remember my work and successes. The threads are still here too, most recently ASrock boards pretty sure.

Feel free to look up my modified images. And if you still don't buy it, tough but not much I can do. I was a researcher who made images, not papers, so nothing to find. But my username is known amognst just about every ME researcher out there, FWIW.

As for why I haven't corrected wikipedia, probably because they'd have to start paying me. I'm a very busy man now.

I don't mean this rude. You are correct to be skeptical. I am just unsure what more I can provide, sorry. Good on you not taking things at face value though. I mean that honestly.

 

[ncrs]

Yes. I no longer work on this (am employed elsewhere now) but people on this forum remember my work and successes. The threads are still here too, most recently ASrock boards pretty sure.

Feel free to look up my modified images. And if you still don't buy it, tough but not much I can do. I was a researcher who made images, not papers, so nothing to find. But my username is known amognst just about every ME researcher out there, FWIW.

As for why I haven't corrected wikipedia, probably because they'd have to start paying me. I'm a very busy man now.

I don't mean this rude. You are correct to be skeptical. I am just unsure what more I can provide, sorry. Good on you not taking things at face value though. I mean that honestly.

Alright, I understand. I'm just surprised that nobody from the ME research community wanted to fix the publicly available misinformation on the wikipedia page. Like... literally nobody? There must be tons of PhD students interested in this, willing to score easy points and having the civic duty to fix this.

(But you're not too busy to reply to my posts on this forum tho )

 

[R-T-B]

But you're not too busy to reply to my posts on this forum tho

Never. TPU is half the reason I have my current job. Besides, it's far too hot to work today:

https://imgur.com/XslN0A1

Wikipedia isn't honestly a haven for firmware researchers. You may try win-raid.com forums. I think plutomaniac could help you. You could also look into if the author of me_cleaner is still about, he may remember my work. May not, too. Hard to say we didn't talk much (probably why his user handle is escaping now)

There must be tons of PhD

Nope. I think only one of us finished college. Firmware stuff is reverse engineering galore and colleges don't like to touch it. Too many grey areas.

EDIT: It appears I forgot about this hackaday article on my work on the Taichi boards... something maybe?

Disable Intel’s Backdoor On Modern Hardware

While the Intel Management Engine (and, to a similar extent, the AMD Platform Security Processor) continues to plague modern computer processors with security risks, some small progress continues t…

hackaday.com

 

[ncrs]

Never. TPU is half the reason I have my current job. Besides, it's far too hot to work today:

https://imgur.com/XslN0A1

Wikipedia isn't honestly a haven for firmware researchers. You may try win-raid.com forums. I think plutomaniac could help you. You could also look into if the author of me_cleaner is still about, he may remember my work. May not, too. Hard to say we didn't talk much (probably why his user handle is escaping now)


Nope. I think only one of us finished college. Firmware stuff is reverse engineering galore and colleges don't like to touch it. Too many grey areas.

All the materials I can find for Blackhat, USENIX point to ME being in the chipset. Even Intel presented that on Blackhat 2019. Maybe the reason you thought Minix runs on the CPU is the fact that it actually runs on a modified i486 embedded into the chipset since Skylake?
Why would Intel lie about this on the biggest security-focused conference?

 

[R-T-B]

Maybe the reason you thought Minix runs on the CPU is the fact that it actually runs on a modified i486 embedded into the chipset since Skylake?

Actually, that is possible admitedly because the Minux binaries are single threaded. But they also are x64, and I guess the core contention I have is that I find it unlikely they could stuff that in the chipset without a thermal envelope that is unacceptably large. Maybe atom is way better than the old day, I am not really as up to date on architectures as I once was.

Also, spectre style exploits work on protected enclaves, suggesting what is running them indeed is an out of order cpu, at least. Are atoms out of order? I thought they weren't.

I guess I'll back off a little and admit this: anything is possible but I don't find it likely.

Why would Intel lie about this on the biggest security-focused conference?

My only guess is if they are lying, they don't see it as lying. The firmware itself lives in the bios chip which connects directly to the PCH. Maybe they consider that when they say the ME "lives" there. But it's just speculation.