Account for TPM single profile vs multiple TPMs and other TPM featuresets

[verdy-p]

Windows 11 wants a TPM2 on the PC. But even if it is present, and detected (in TPM.MSC), and active, and owned, and provisioned by the BIOS, it still alerts us that it is not working (notably for Bitlocker that fails to start on disks that were encrypted in Windows 10 with Bitlocker using the TPM2 chip).

This is a current bug of Windows 11 that affects:

• its new compatiblity check program (PC HEALTH CHECK) on Windows 10 prior to the installation
• the "new" WMI-TPM component used in Windows 11 at runtime (including for Bitlocker)
• the "new" UEFI boot preloader (bootloaderfw.efi) and bootloader (bootloaderfw.efi)

All these "new" components have NEVER been tested by Microsoft on something else than virtual machines and some "new" (but very basic) tablets/notebooks. They all have in common the fact that there's NO real TPM2 device in them: virtual machines use a virtual TPM featuring limited capacities with a single profile with a single set of PCRs registers (and for Windows 11 compatibility, this single profile should support ONLY the "SHA256" hashin algorithm.

This is a clear deviation of the TCG standard for TPM2 which has always allowed for

• the presence of multiple TPM devices, or
• even multiple "profiles" in the same TPM device, with distinct sets of "PCRs" registers, one for each profile depending on the hashing algorithm used in the selected profile.

With TPM1.2, there was only a single profile allowing a single bank of at least 24 registers (each one storing a 20-byte SHA1 hash). As well it described a legacy "FIFO/TIS" interface for use by applications or OS.

With TPM2.0 the specifications (signed years ago by at least two successive engineers from Microsoft) specified multiple banks (the reference opensource implementation made by TCG named "TSS" specific 3 banks and at least 2 profiles, each bank using larger sets of PCR registers). TPM2.0 also deprecated the "FIFO/TIS" interface (without forbidding it) in favor of the newer "CRB" interface (allowing commands to be placed in several queues and run asynchronously on the TPM device, for stronger resistance to time-based side-channel attacks, notably when using stronger or more expensive algorithms, such as the generation of security keys).

All this TPM2.0 was working in Windows 10 and still works with Windows Server 2019 (or even in Windows Server 2022 beta).
It no longer works at all with Windows 11 (Dev channel), because the "new" code (listed above) is clearly unfinished and in fact is broken and gives FALSE hints to users.

In fact the PCs one which the PC-HEALTH check program say they are "Compatible for Windows 11" will sooon be incompatible with it (because they will need more PCRs banks): these are the "new" PCs (tablets or thin notebooks) made by some chinese manufacturers at low cost (these manufacturers did not want to embed a real TPM chip on these devices: they asked to Intel and AMD to provide a "firmware TPM" on their CPUs, but almost all existing CPUs that have a "fTPM" have implemented the strict minimum needed: a single TPM2 bank of PCRs registers, and using only SHA256.

The PCs that currently pass this check will NOT pass the test later if they can't be upgraded with a real TPM. And already there are newer (more costly) series of CPUs that provide multiple PCRs banks ni their TPM2 firmware, and multiple profiles with more algorithms supported. These newest CPUs currently do not pass the BROKEN win11 compatibility check.

Microsoft has given false hints to users. The PCs that don't pass the test are NOT outdated, those that pass it are ALREADY outdated.

There are interesting events in the Event Viewer (in the "System") category: lot of these events are spammed now in Windows 11, where Windows (from the initial boot in UEFI, then during the OS loading, and then every secod after the boot when the OS is loade) attempts to extend hierachies of keys by compting SHA256 hashes and trying to import them in the TPM but not in the correct PCR bank: it uses the 1st bank of PCRs without checking its type by looking at TPM capabilities, and in fact attempts to replace SHA1 hashes by SHA256 hashes in the incorrect profile.

All real TPM2.0 chips have at least 2 banks for 2 profiles:

• the 1st bank is for SHA1 hashes (that Windows 11 no longer supports) and is to be used for legacy apps or OSes that used only TPM1.2 under the legacy FIFO/TIS interface.
• the 2nd bank is for SHA256 hashes (those that Windwos 11 requires now) but Windows 11 is not able to use this 2nd bank. As well Windows 11 has (currently) removed the support of the newer CRB interface.

With the next version of TPM (3.0) there will be larger banks and more complex hierarchies. A true implementation of TPM2+ in Windows 11 is a must have that Microsoft ignores. MS gives false information to users because it does not want to admit its own bug: the problem is really in Windows 11, it affect most machines (and soon will affect ALL of them, including more modern CPUS with more TPM2 capabiltiies and featuring more banks, notably in CPUs for use in servers of container-based applications; servers hosting VMs with an hypervisor are not affected for now because each VM implement their own single virtual TPM2 and you'll be able to configure the virtual TPM capabiltiies inside the hypervisor settings), and NOT a problem of the CPU or the UEFI BIOS, or of the TPM chip.

So it should be good if your tool was getting the real TPM2 capabilities, and notably:

• the number of PCRs banks, and the hashing algorithm (SHA1 or SHA256, possibly others) assigned to each bank,
• which PCR bank is current selected by Windows (for now only the 1st one in Windows 11 or in the PC-HEALTH check program)
• identifying the TPM module used (optional but needed if there are multiple TPM devices enabled, notably on the newest PC where the fTPM in the cPU may be enabled, and the "discrete" hardware TPM chip would be enabled as well).

For now you just display the TPM version (without identifying which TPM device is used)

This can be done using "TpmDiagnostics.exe" (a "feature on demand" in Windows 10/11) from an administrator command line or Powershell: "TpmDiagnostics PrintPCRs". You can as well use "TpmTool.exe" (preinstalled in Windows 10/11) which performs a few less tests (but is translated in the results with its MUI, depending on the UI language installed and user preferences, whereas the newest FOD "TpmDiagnostics" tool is still not translated and displays results only in English for now).

But note that if you use the WMI interface, this will fail in Windows 11 (the new "TPM-WMI" component is broken). The two tools above do not need WMI and properly diagnose the TPM device reading properties via the device driver.

[rcmaehl]

Thankfully I'm not using the WMI TPM component by default as it required admin rights. To minimize program privilege I switched to a different detection method. The check is still there if running as an administrator, but I'll look into removing it since the TPM WMI module is broken.

[verdy-p]

Yes but for diagnosis, knowing that there are multiple TPMs or multiple PCR bna,ks in different profiles, each one with different hashing algorithm, and knowing which bank is selected by default in Windows 11 is important: it explains the bug (and why the PC-Heath compatiblity tool by Microsoft is wrong and currently gives false instructions to users.
Our machines, or BIOS, or TPM devices have no problem, Microsoft needs to fix its own TPM implementation (which declares "compatible" some recent machines that will in fact NOT be compatible with stronger security requirements due to severe weakness in their "fTPM": all those machines will need later either an even newer processor replacement (featuring more banks) or plugging in a true TPM chip (and disabling their fTPM in the BIOS!)
And it's the reason why the "fTPM" in those machines are disabled by default in these BIOS: this "fTPM" in those few new CPUs is just a weak fallback in absence of a real TPM2 chip (all of them have at least 2 banks, one for SHA1, another for SHA256, and Windows 11 just incorrectly selects the 1st bank for their attempt to store a SHA256 hash in theirPCR registers, and of course it is perfectly normal that this fails with TPM errors)! So Windows 11 for now is ONLMY compatible with few tablets and ultrathin notebooks having a weak and very limited fTPM built in their "new" CPU !

All users will soon need a true TPM with multiple banks, and using the CRB interface (no longer the legacy FIFO/TIS interface which was sufficient with only one bank).

An alternative is to install "Windows Server 2019 Hyper-V" first (it is free with an unlimited licence), and then install Windows 11 as a VM inside this version of Hyper-V (enable the "virtual TPM" support when creating a "Generation 2" VM for Windows 11, it works in the guest OS because the "virtual TPM" implemented uin the hypervisor currently allocates a single virtual bank). The default Hyper-V core engine inside Windows 11 (and in its UEFI boot loader) is broken, but Windows Server 2019 Hyper-V (release version) works ! This just shows that our machines are fully compatible.

Users may also want to test "Windows Server 2022 Hyper-V" from the Dev channel: I don't know if it allows extending the "virtual TPM" to offer more PCR banks (as required for future TPM and future OSes).

But visibly the Hyper-V core engine built in the Windows 11 Dev channel is unfinished and broken (and still depends on ongoing works pending for Windows Server 2022): Microsoft removed some necessary code just to test Windows 11 and target a few new machines (mostly tablets and ultraportables without any hardware TPM but just the weak fTPM in some very limited ranges of CPU by Intel, AMD or Qualcom, and already not working with Intel Gen10+ processors).

Tell users to not waste their PC! And not buy new hardware for now. In fact the PC where Windows 11 currently works will need an hardware upgrade to be compatible later (and won't be supported) if you can't plugin any real TPM chip on them, or will need to disable again the fTPM to use the real TPM chip if the fTPM inside the CPU is limited to one bank; hypervisors will also need to be updated to change their virtual TPM settings in the VM to offer more PCR banks, but this will also not require any hardware change, just a software change or sttings in the hypervisor!

All this may explain why now Microsoft no longer offers users the opportunity to use their "PC-Health check" program and why it no longer accepts newcomers to the Windows Insiders program (which is on hold). In fact it has also removed almost all requirement list about supported CPUs and even indications about TPM: Microsoft still does not now how to direct the users with correct information.

And as all this seems related to the ongoing parallel development of Windows Server 2022 (and the next version of Hyper-V), I have serious doubts that Windows 11 will be commercially available this fall, or even before mid-2022 (when Windows Server 2022 will be more advanced, including support for the next generation of TPM3.0 which should come soon, supporting new hierarchies of events, logs, many more banks and profiles, and using multiple TPM devices both hardware and sofware in a complex hierarchy)

The current TPM2.0 specs and the TSS refefence implementation by TCG suggests already that there should be at least 3 banks, 3 profiles and at least 48 registers per bank, where TPM.12 and TPM2.0 requires just 1 bank and 24 registers per bank, in which Windows for now does not need more than 16 registers in a single bank and in a single profile for a single hashing algorithm).

For "Secure Boot", the UEFI BIOS just need to set the 8 first PCR registers in one TPM bank (not all of them), in the selected TPM profile specified in BIOS parameters. Other banks should be left intact and are to be used by other applications or could be used after boot inside the OS, e.g. to implement hypervisors to host many VMs (for different guest OS instances with hardware support instead of using a virtual TPM weakly protected inside the hypervisor), or a server for containers (such server will require LOT of TPM banks!).

Hardware TPM support may not jsut be inside processors or in a dedicated chip plugged on a bus of the motherboard. It may be integrated in other devices, notably in storage (inside SSD for example, or flash cards, or USB keys), in graphics cards, in dedicated USB security keys, in other specific security devices (e.g. finger print readers, or other biometric sensors), or via secure network services deployed in organizations. TPM is a comme specification allowing many implementations provided they use one of the two supported interfaces: "FIFO/TIS" (legacy, was the only one in TPM1.2) or "CRB" (strongly recommanded now since TPM2.0... but still not used by Microsoft in Windows, except possibly in the next version of Windows Server 2022)

As well, even if your TPM2 module is enabled (it should be working on all machines with CPUs that support AMD "FTM" or Intel "TXT" or Intel "PTT" or Intel "vPro") you still need to enable the IOMMU ("VT-d" on Intel machines) and enable virtualisation, and enable the SHA256 profile and other security mechanism by activating "Intel TXT/PTT/vPro" on those machines. Otherwise the UEFI BIOS will only prepare the TPM1.2 profile of the TPM2 chip and all attestations will be made using SHA1 (this works in Windows 10, but this is weaker) and under the FIFO/TIS interface.

You may also need to specify in the UEFI BIOS other parameters controling the secure boot model (e.g. legacy Linux, Windows 8+, Windows 8+ WHQL; there's no other specific model documented by Microsoft for Windows 10, Winows 11, or Windows Server). With the "WHQL" security model, all UEFI boot components must be digitally signed and with a WHQL signature, otherwise these UEFI components are disabled at boot time. With the non-WHQL model, other UEFI components may be loaded provided they are digitally signed an endorsed by a certificate key added in the TPM during its preparation.

Microsoft still does not document clearly how it supports the TPM 2.0. Microsoft signed the TCG standard specs, but did not implement it correctly for now in Windows (partially correct in Windows 10, Server 2019 and Server 2022 Dev channel, but incomplete, now completely wrong in Windows 11 Dev channel).

But Intel, AMD, Qualcomm (and Hyagon in China) have done their job (since years!). As well as almost all serious Linux and free BSD distributions (supported by Google, Oracle, IBM, Redhat, Ubuntu...) or hypervisors (vmWare, Citrix...), or cloud solution providers (Amazon, Google, including Microsoft Azure!, or personal clouds based in Linux), or other proprietary Unix systems (notably on large computing grids and "supercomputers"). Once again, Microsoft (also Apple in MacOS and iOS) is very late and lags behind the industry in Windows (just like it was the case for all web standards) !

For now, all we can see is that Microsoft just borrowed some limited components made for "Wndows 10X" (an abandonned project that was just made for a single costly dual-screen tablet from Microsoft and not used anywhere else) by rebranding and announcing them as "Windows 11" (trying to fil a gap left by a development of Windows Server 2022 which has lagged too long). But this is not serious because this 11th version is a severe regression in many ways compared to Windows 10 (the only positive evoltuion is a better Settings panel, but it's also still unfinished, and jsut continues something that was alsdo not finished in Windows 10: in Windows 11, there are still legacy Control Panels, legacy Event Viewer with new bugs, and many defects in terms of security compared to ALL branches and versions of Windows 10.

Windows 11 should not say that PCs are not compatrible with it, just that PCs are not compatible with that limited preview of Windows 11 (and I bet there will never be any commercial release of Windows 11 before 2022 or even later, after Windows Server 2022 will have been seriously tested) and that the test currently just focuses on the user interface, and not at all the core of the system

And for that I think we should have NEVER used Windows 11 Dev Channel as an upgrade from a native Windows 10 installation, but should use Windows Server 2019 Hyper-V instead, to host Windows 11 Dev in a VM, where we'll upgrade a Windows 10 VM! so we should create a VM image of the current Windows 10 installation, then install Hyper-V 2019 and remount two separate Windows 10 VM, and migrate only one.

Microsoft made a severe error: Windows 11 Dev should have NEVER replaced Windows 10 Dev, except for installations as a VM inside Windows Hyper-V 2019. And Microsoft should have helped people to prepare to Windows 11 by first converting their native system to a VM inside Hyper-V 2019.

Or should have explained that Windows 11 was only for testing the UI, not the OS, that it was fundamentally UNSECURE, and that people should keep a backup of Windows 10.

Microsoft should have kept the Windows 10 Dev branch active instead of closing it and replacing it prematurely by Windows 11 Dev (now also closed for legal newcomers and left on hold, creating a new security nightmare with unofficial hacked copies of Windows 11 circulating on the Internet !)

I urge Microsoft to change its strategy and offer people a way to rollback safely to Windows 10 or assist them to convert their Windows 11 to a VM hosted on top of Hyper-V 2019 (which is really more secure). Then people will see that their machine runs, but does not have the performance expected for this demo test of the Win11 UI (in fact the UI initially made for Windows 10 "X", which was abandoned like also Windows 10 "S" !). All the rest in Windows 11 is fake, or should have been in Windows 10 since long (notably the complete integration in the Settings panel, not finished after 10 years and still not in Windows 11 Dev!).