Bitlocker - fTPM vs. dTPM - explaining differences when it comes to changing mainboards

McKnife
McKnife used Ask the Experts™
on
I hope to see experts answering that are familiar with fTPM technology like Intel PTT in connection to bitlocker.

In our IT world, so far, we have only relied on discrete TPM ("dTPM") modules. Since all new mainboards offer fTPMs, we are doing a little research whether this can be used as securely as the normal TPM. What I would like to look at in this question is a single aspect of this comparison dTPM/fTPM:

1 With a dTPM, when an attacker steals a bitlocked hard drive (TPM+PIN) and connects it to a different system, bitlocker would immediately ask for the recovery password.
vs.
2 With an fTPM (say Intel PTT), when an attacker steals a bitlocked hard drive (fTPM+PIN)  and connects it to a different system that also has Intel PTT active, bitlocker would not ask for the recovery password but allow you to start the system if you know the PIN.

So from what I gather, the fTPM is software only, and although it relies on having Intel PTT hardware in this case, it is not in a part of the mainboard, but is part of the hard drive contents.

Can someone confirm this and tell me what part is responsible for validating the PBA PIN?
------

Why I ask: I tried this here in our lab and was surprised that you can simply move hard drives around from one board to another (same model) as long as Intel PTT was active. Before trying, I had thought that fTPMs would have the same "problem" as dTPMs: when the old mainboard dies, you will have to provide the recovery password - but I was wrong.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
nociSoftware Engineer
Distinguished Expert 2018

Commented:
Not exactly answering i do have a comment though:
IMHO this is a breach of trust.  One expects the drives to be bound to the system, not disks being transportable.
BTW you did get there are some dTPM's that have security flaws in that they can bleed the store keys.
Also fTPM's had a flaw, intel claimed it had been fixed.  https://thehackernews.com/2019/11/tpm-encryption-keys-hacking.html

BTW here is an article on sniffing data from TPM: https://pulsesecurity.co.nz/articles/TPM-sniffing
a specific fTPM presentation: https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/raj
(also describing limitations, i expect you allready got those btw).
Distinguished Expert 2018

Author

Commented:
Hi.

Please, no general info. I know these flaws.
"One expects the drives to be bound to the system, not disks being transportable." - That's the question. Is it the same for fTPMs or not. Practice shows that it's not and that I don't understand.
nociSoftware Engineer
Distinguished Expert 2018

Commented:
I could find few resources on this. Asus claims in the Intel PTT  Activation document the protected storage is stored in NVRAM, thus still binding it to the board. Most documentation carefully avoids show implementation details.
Intel PTT is part of the ME firmware blob put into the CPU by the firmware. according to Intel Doc.

So all data & code concerned SHOULD come  from NVRAM on the mainboard.  THe ASUS article specificaly mentiones one should save the rescue information on creation because disk contents etc. might get lost if the mainboard fails.

So the IMHO the bitlocker disks should be tied to the systems mainboard.
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Distinguished Expert 2018

Author

Commented:
Well, this would mean, I am seeing totally flawed behavior. I cannot imagine that, since firmware TPMs are nothing new, they are being used widely and people would have stumbled across this flaw pretty soon.

So I rather think, there is something fundamentally wrong about what I think an fTPM consists of.
nociSoftware Engineer
Distinguished Expert 2018

Commented:
Here is the link to the Asus example: https://www.legitreviews.com/how-to-enable-bitlocker-with-intel-ptt-and-no-tpm-for-better-security_211713      (2nd screenshot.)

They say it is stored in the ME data area (Like intel does), and they talk about the ROMBios Chip...
Compaq did have systems in the past that loaded the regular BIOS from a harddisk partition..., if that also is the case on your platforms that may explain things.
Distinguished Expert 2018

Author

Commented:
My platform does not load the bios from the disk. it is an ordinary machine, self-assembled and installed.
Will read the doc.
Distinguished Expert 2018

Author

Commented:
That legitreviews thing is not helpful. The screenshot in there from ASUS bios shows that ASUS themselves haven't understood it.
Intel® PTT is a hardware TPM 2.0 implementation integrated in Intel® ME/CSMETIXE for credential storage and key management. The firmware TPM key will be stored in Intel® ME data region once you enable Intel® PTT and Windows® BitLocker for drive encryption. Please note that when the recovery key is lost or when the BIOS ROM chip is replaced, the system will not boot into the operating system and the data will stay encrypted and cannot be restored.
1st, that's wrong as you can see the system boots on another mainboard and 2ndly, calling it a hardware TPM implementation is not correct, either.
nociSoftware Engineer
Distinguished Expert 2018

Commented:
Some envision the ME as a separate Hardware implementation YMMV some cpus have a separate RISK system running ME, on others it is the core cpu.
Correct is that it is in the ME blob, which also it what intel on their site claim. Q = Where is the ME data region.. in NVRAM (should be a chip) or on disk... (sector emulating an NVRAM)
You have valid and interesting question. And the information is inconclusive and confusing at best.
Distinguished Expert 2018

Author

Commented:
I contacted Asrock and we reviewed it together.
Thing is, if you insert a USB-Key with a startup key on first reboot after the mainboard change, somehow bitlocker allows you to work with the same fTPM-PIN afterwards. AsRock wrote me:
got feedback from headquarter/AMI. They say it is correct/normal:

Because the fTPM existed on two platform and has the same codes.
That is why when changing to a different same-type platform the system is still able to boot once the original pin is inputted.
Hmm, ok, if that's expected behavior, I am ok with it and would choose this as my solution.
nociSoftware Engineer
Distinguished Expert 2018

Commented:
Oh ok. No problem with choosing your solution.
Distinguished Expert 2018
Commented:
Self-solved

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial