Windows 11 TPM Chips: Cramming More Power Into a Smaller Form

The minimum hardware requirements for Windows 11 have thrown most people into a tizzy. The Trusted Platform Module, or TPM, is at the heart of the confusion.

TPM chips are used to perform cryptographic functions that assure security at the hardware level and verify system authenticity at the boot. They also include various anti-tampering measures.

Windows 11 also requires all machines to include TPM 2.0 support, either built into the CPU or as a separate chip connected to the motherboard.

The news prompted PC owners to look for information on whether their device supported TPM and, if so, how to enable it in the BIOS. And adding fuel to the fire was the fact that Windows 11 can technically be installed on incompatible hardware.

However, one firm is perplexed by the TPM decision for a different reason. According to Jorge Myszne, founder and CEO of semiconductor startup Kameleon, “TPM is from 2003; it was adequate 20 years ago, but consider everything that has changed in terms of infrastructure over the last two decades.”

“The main challenge is that the TPM is a passive device; while you can store data there and nobody can see it, in order to do something with that data the software needs access. And if the software has access, an attacker can gain access too.”

Firmware security is a hot topic.

Kameleon, a startup launched in 2019 and backed by Xilinx, a leader in programmable SoCs, aims to turn the tables on cybercrime by offering the advantage to the defender. Despite this, the firm is developing a device known as a Proactive Security Processing Unit (ProSPU) that it hopes will be able to combat firmware attacks, which are growing in number and sophistication.

“The most common types of attacks take the form of applications that target the upper layers, but these have been fairly successfully blocked,” Myszne explained. “As a result, attackers are becoming more specialized, heading down the stack towards the firmware; attacks here are both difficult to detect and persistent.”

The vulnerability lies in the remote access software used by enterprise networks to connect to devices such as printers and network storage.

The malware is able to compromise these systems through this software, allowing an attacker to gain persistent access.

The drawback of attacks of this kind is that they cannot be recognized or stopped by computer programs.

At first, a system is booted in stages, with the smallest piece of code loading into the CPU followed by a larger pool of code, and eventually the operating system.

“Any compromise that takes place during this process is completely undetectable. Software isn’t even running yet, so it has no way of checking what’s going on,” noted Myszne.

The main issue with security is that, although it’s important, it isn’t given adequate attention. The solution to this problem, according to him, is to have a dedicated device in charge of the security of a system.

A security processor, for example, is responsible for establishing a “root of trust” by ensuring that all firmware is genuine in the same way as a GPU manages graphics and an AI TPU handles workloads.

A security processor with dedicated capabilities

Kameleon’s ProSPU aims to address the sorts of issues that arise as a result of TPM chips (and other equivalent technologies) relying on software for instruction, as they are passive. The ProSPU is in control of the system, performing active checks to ensure that each component of the boot process is genuine.

Myszne claims that there are already several chips on the market that do their own secure boot, but there is nothing else available that “pokes around in all of these areas.” In addition to establishing this root of trust, the ProSPU provides crypto services to program (such as key generation and management), as well as runtime security for detecting and preventing attacks.

The ProSPU is hidden away from hackers beneath the OS and has direct access to the memory. Because it doesn’t rely on APIs for access, an attacker can’t infect it.

“The first thing an attacker does is attempt to understand the system and defences. In this case, the defence is running on a different system entirely, with direct access beneath the software,” said Myszne.

“The attacker doesn’t know what’s going on and now needs to attack the system without an understanding of the defences. And because attackers don’t like risk, they will go elsewhere.”

Hardware security’s future

Mr. Myszne was asked about whether he thinks Microsoft made the wrong call when it required Windows 11 to support TPM 2.0. He agreed with this statement.

“If I was working on an enterprise-level operating system, then yes, but for a generic OS like Windows it’s a big bet, because there will be problems,” he said.

“Usually, TPMs are disabled by default, because they are difficult to manage; you need to know what you’re doing or else risk bricking your computer. How many people know how to fiddle with the BIOS safely?”

While Myszne agrees that a TPM is preferable to no protection at all, he believes the combination of undesirable user experience and an insufficient degree of security make the requirement more challenging than it’s worth.

“The system is not a single chip device as it used to be 20 years ago. We need hardware security infrastructure to evolve for the needs of today, as well as the needs of the next five to ten years.”

Kameleon predicts that the ProSPU’s alpha version will be released by the end of 2018, and that it will be in servers by H1 2022. Myszne believes that despite the fact that data center applications are most at risk due to the concentration of security concerns, ProSPU-style hardware will soon filter down into the consumer, industrial, and automotive markets.

“There’s a lot to defend out there,” he said.