Windows Vista’s Full Volume Encryption & TPM, part 6: more oddball TPM 1.2 links

Semi-random links to information I’ve used as reference for some of my rambling thoughts…

Whew! Now back to your regularly scheduled surfing.

Windows Vista FVE in the news

The enterprise edition of Vista will have a feature called “BitLocker” that can encrypt systems that have an optional security chip.

The feature debuted Monday on a test version of Vista that Microsoft released to get feedback from software developers and customers.

“So essentially if a machine is lost … it renders it useless to whoever steals it or takes it from them,” said Shanen Boettcher, a senior director in the Windows group.

Commentary: This further supports the idea that FVE will only be available to those customers who license the Enterprise edition of Windows Vista. Will this be available to the consumer? I would suspect not, based on Microsoft’s history and its planned set of SKU’s:

  • the Enterprise editions of Windows (2000, 2003) in the past haven’t shown up on the shelves of retail stores
  • What with plans for SKUs such as Windows Vista Home Basic, Windows Vista Home Premium and Windows Vista Ultimate – all presumably oriented for the consumer market – I personally doubt there’ll be room in the OEM lineups for a fourth SKU directed at their consumer market.
  • Previous rumours indicated that the Vista Enterprise edition will only be available to Microsoft customers who have signed up for (the not inexpensive) Software Assurance plan, which is definitely not something consumers (or even small/medium-sized businesses) can usually afford.

However, I feel obligated to point out that the (obviously out-of-context) quote from Shanen Boettcher seems pretty misleading/overreaching in its current form. If I’m interpreting correctly, the “BitLocker” feature is nothing more than Secure Startup (SSU)/Full Volume Encryption (FVE).

While SSU does make it more difficult to discover on-disk secrets and sensitive data files, its mere presence or default configuration hardly makes the machine or its data “useless to whoever steals it”. So long as the disk contents remain undisturbed, the simple configuration of SSU will allow Windows to boot up and allow an attacker to attempt to access its data (e.g. via console logon, network logon, shares access, unpatched vulnerabilities, previously-installed malware, or other as-yet-unimagined attack techniques).

Seems it’s time to discuss the Full Volume Encryption technical whitepaper that’s available for download – make sure we’re all understanding it the same way (or not), and raise the obvious questions worth asking.

Windows Vista’s Full Volume Encryption & TPM part 5: does FVE require a TPM or not?

Tonight I stumbled on a rant that quoted a Microsoft web site around various Vista features including Full Volume Encryption (FVE). The stunning thing for me was the following quote (emphasis mine):

“Windows Vista supports full-volume encryption to prevent disk access to files by other operating systems. It also stores encryption keys in a Trusted Platform Model (TPM) v1.2 chip. The entire system partition is encrypted-both the hibernation file and the user data. It also stores encryption keys in a Trusted Platform Model (TPM) v1.2 chip, if one is available on the PC.”

Did I read that right? Does this mean that FVE can actually encrypt the entire system partition whether there’s a TPM 1.2 chip on the system or not? Presumably if this is true, the key to encrypt the volume is stored in the 50 MB partition that is required to store the pre-boot partition that supports FVE. That is, the key is stored in software.

So how does this improve upon what’s available in Windows XP? Frankly I don’t know right now, but I can take a couple of educated guesses. Presumably the Secure Startup sequence requires a user-supplied password before it can decrypt the Vista system partition, so this means there’s yet another password for an attacker to have to brute-force.

However, I gotta wonder whether a software-based Secure Startup boot password is any different from a SYSKEY boot password – no complexity requirements, never needs to be changed, and impossible to manage [pretty much by design] over a large population – how do you archive and recover such a boot password? If so, then this is a just as dangerous/difficult to manage a security control as SYSKEY is.

OK, so I got excited there for a sec, but on further reflection, maybe this isn’t any better than we had before. In fact, it’s even scarier: what if I forgot my Secure Startup boot password, and its encryption key was stored in software? What do I do then? Presumably ALL my data is encrypted with that key (now irretrievable); whereas with SYSKEY I lost the OS but presumably could recover my data, now I’ve lost both the OS and my data. Ugh, sounds pretty gross to me.

I think I read about some capability to archive the encryption key used by Full Volume Encryption, but I’ll have to dig around to confirm (a) if it’s true, and (b) how it works. Until then, consider this entire sub-rant one man’s opinion, no more.

TPM 1.2 hardware news: integrated chipset launched for AMD K8 systems

Note that ULi had desktop motherboard vendors lined up at the launch event, but not PC system OEMs for desktops or notebooks. Between this and the fact that the chipset is aimed at AMD (not Intel, which still appears to be the CPU vendor used most of the time by most OEMs) I don’t believe this will have a major impact on the business market. However, it’ll definitely help get the next-gen TPM hardware into the hands of many consumers and small organizations.

That’s just a good thing, no matter whether the TPM technology helps secure PCs via Linux, Windows-based third-party TSS apps or via the Windows Vista Secure Startup feature. Personally I’m just happy to see increased uptake of the TPM hardware by PC technology vendors.

Categories TPM

Dell licensed TSS from Wave Systems – soon shipping TPM-enabled notebooks?

Not often we get a public hint of upcoming release plans from the computer vendors like this, but it looks like Dell has made a stronger commitment to the TPM wave that is catching fire with most major computer vendors.

Dell has added TPM chips to a couple of desktops, but has consipicuously been missing anything on their portables. I’m hoping we’ll see a notebook (and maybe a Tablet?) come out from Dell real soon now that has a TPM chip. Even better, since Dell has delayed all this time, perhaps they’ve been holding out for a production-ready TPM 1.2 chip…?

Gateway stole a leadership position from Dell by releasing their 14″ widescreen Tablet before Dell had a chance to reach that market. Of interest to me was their forward-thinking inclusion of a TPM 1.2 chip as well. Let’s hope Dell is readying a catch-up response to this, and that they’ll blow us away with TPM 1.2 chips across all their new systems from here on out!

Categories TPM

Windows Vista’s Full Volume Encryption & TPM, part 4: available PCs that include TPM 1.2 chip

[Edit: corrected the Broadcom adapter model #, and removed the listing for the Dell Precision 380 Workstation, which turns out to only have a TPM 1.1b chip via the Broadcom BCM5751 chip.]

Since I only talked about Tablet PCs in part 2, I figure I owe it to the community to collect together a listing of any and all shipping PCs that include a v1.2 TPM chip.

What follows are all Servers, desktops, notebooks and Tablets that I could confirm currently include a TPM 1.2 chip:

none to date

Desktops & Workstations
Dell Optiplex GX620
Gateway FX400XL (via Broadcom NIC referenced here)
Gateway FX400S (via Broadcom NIC referenced here)
Gateway FX400X (via Broadcom NIC referenced here)
Gateway E-6500D SB (via Broadcom NIC referenced here)
HP Compaq Business Desktop DC7600 (via Broadcom NIC)
Vector GZ desktop

Gateway M250 Series
Gateway M460 Series
Gateway M680 Series

** HP TC4200 [THEORY: the TPM is an orderable part (Part #383545-001, $42.00 list price), which implies that it’s a removable/replaceable part (and thus that a TPM 1.2 chip could be swapped in later), but this is only an unconfirmed theory on my part] **

Gateway M280 Series

Bonus 1: Add-on Components
Broadcom BCM5752 & BCM5752M network controller chips (which has an integrated TPM 1.2 chip)

Bonus 2: Linux drivers
Linux driver with support for Infineon’s TPM v1.2 chip

And again, don’t forget to check Tony McFadden’s TPM Matrix. NOTE: I only used Tony’s TPM Matrix to start my search – I haven’t copied any entries without external confirmation, so there may be disagreements between our pages. When in doubt, remember that unless I could confirm a TPM 1.2 chip was included in a PC system, I did not list that system here. Tony’s page is meant to be more comprehensive, so he lists both PC systems with TPM 1.1 chips as well as those with unknown chips or which haven’t been confirmed to include a TPM chip.

P.S. Do you know of any other PC systems shipping a TPM 1.2 chip? If so, add your comment below!

P.P.S. What have I learned in my searches for TPM 1.2-integrated PC systems? Here’s a couple of tips that may be helpful if and when you off on your own search:

  1. If the spec sheet only mentions non-version-specific phrases such as “TPM chip”, “TPM Embedded Security Chip” or “the TCG standard” [emphasis mine], you can and should assume that the chip is a TPM 1.1 chip. Anytime I was able to confirm a TPM 1.2 chip, the PC system vendor made specific and repeated mention of the 1.2 version number. [Apparently this is a big differentiator, though few if any references on the Internet have clarified why.]
  2. If you are looking into a PC that was shipped before Summer 2005, you can rest assured that it did NOT ship with a TPM 1.2 chip, since the TPM chip vendors didn’t have production chips on the market until at least mid-summer of 2005.

Windows Vista’s Full Volume Encryption & TPM, part 3: links & background reading

Paul Thurrott indicates that FVE will appear in Enterprise & Ultimate editions of Vista:

Bart DeSmet digs in deep on EFS, TPM, Secure Startup and more:

David Berlind speculates on possible incompatibility between Vista/TPM & virtual machine technology:

George Ou shines light on a potential key export “backdoor” for FVE, and his ideas on why smartcards would be an ideal FVE key storage mechanism:

William Knight vaguely alludes to some proprietary algorithms used in FVE that could lead to “a possibility of in-memory attacks for keys.”

David Berlind speculates again on a possible use of the TPM by Windows Product Activation (totally unconfirmed at this point):

An out-of-date but still “best there is” collection of TPM-related hardware, software and integration information:

And last but not least, Microsoft’s Technical Overview of FVE: