Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

Article Number: 000222428

Dell Response to TPM Interposer BitLocker Research

Summary: Dell Response to TPM Interposer BitLocker Research

Article Content

Issue Summary

Researchers have demonstrated the ability to intercept and extract BitLocker keys as they are sent over the bus between the CPU and the discrete TPM on certain PC models. Researchers used physical access to the electrical traces on the system motherboard and specific knowledge of the layout and routing of the target PC to perform their demonstrations. Dell commercial PCs use a discrete TPM, and this article describes the degree to which Dell’s implementation of Microsoft’s BitLocker in Dell commercial PCs may be susceptible to this attack method.

Details

The attack techniques described in the referenced research are not specific to Dell and require direct physical access to signals inside of the chassis and a skilled attacker. In addition, these attacks require the crafting of a technique specific to both the PC vendor and the particular model, which can take significant research and effort for each target. While potentially impactful to a limited number of systems assuming a valuable target and motivated attacker, PC designs change frequently so there is no broad applicability or scale provided by these techniques.

Physical attacks against the TPM are important to mitigate and there are several recommendations from Microsoft, Dell, and TCG in the next section that can provide defense in depth for concerned users.

Integrating the TPM into the silicon to remove access to the TPM bus altogether is a valid technical option depending on design and threat model but these “firmware TPMs” can introduce other security tradeoffs:

These security tradeoffs continue to support our decision to design discrete TPMs into Dell commercial systems (OptiPlex, Latitude, and Precision). Discrete TPMs in these devices are FIPS validated and include an Endorsement Key (EK) created and bound to the TPM during manufacturing. This Endorsement Key attests to the authenticity of the TPM and can be used to support session-based encryption on the TPM bus.

Windows BitLocker is the built-in data at rest encryption capability on Windows PCs. BitLocker seals decryption keys into the TPM during provisioning so that the boot drive can be decrypted on each boot if the system has not been significantly modified according to the TPM. The research referenced below use physical access to intercept this decryption key as it is transferred across the bus from the TPM to the CPU during boot.

As stated by the researchers, Windows could mitigate this issue in software by using available TPM commands to encrypt these keys during transit using session-based encryption. Ubuntu has implemented these commands into their full disk encryption equivalent as an example. Software mitigations to the key exposure issue have been clarified by TCG and are available in guidance documents linked in this article.
 
“TPM2.0 devices support command and response parameter encryption, which would prevent the sniffing attacks. Windows doesn’t configure this though, so the same attack a TPM1.2 device works against TPM2.0 devices.” https://pulsesecurity.co.nz/articles/TPM-sniffing This hyperlink is taking you to a website outside of Dell Technologies.
 

Recommendations

Recommendations for Admins

For those concerned about this threat, there are three potential mitigations:
  1. Microsoft suggests that customers concerned about targeted physical attacks against BitLocker keys in the TPM can configure preboot authentication to use TPM+PIN to mitigate this issue:
  2. Dell commercial devices with discrete TPMs have additional mitigations and detections available for customers concerned about these types of attacks:
    • Chassis intrusion
      • Administrators can use our chassis intrusion detection feature to detect whether physical access to the device internals may have been attempted and admins can configure the system to halt during the boot process if the case has been opened.
      • The latest Dell OptiPlex, Latitude, and Precision systems support additional chassis intrusion detection capability that will modify TPM PCRs to prevent decryption keys from being released during boot if the case has been opened (if enabled in the BitLocker key policy via GPO).
    • HDD/SSD/NVME/System Password
      • Dell systems support drive passwords that can be used in addition to BitLocker software-based full-disk encryption. This feature requires a user to enter the password into the system during every boot to access the drive.
      • Dell systems support a System password that can be enabled in the BIOS to prompt for a password before each boot. This feature will halt the device before BitLocker key exchange occurs on the bus. Admin password and Master Password Lockout can be set for additional security.

Recommendations for Developers

The Trusted Computing Group TPM 2.0 specification supports session and parameter encryption to allow software developers to encrypt data as it goes across the bus. TCG has published guidance to help developers use these encrypted sessions to address both passive and active mitigations:
  1. https://trustedcomputinggroup.org/wp-content/uploads/TCG_CPU_TPM_Bus_Protection_Guidance_Passive_Attack_Mitigation_8May23-3.pdfThis hyperlink is taking you to a website outside of Dell Technologies.
  2. https://trustedcomputinggroup.org/resource/tcg-cpu-to-tpm-bus-protection-guidance-for-active-attacks/This hyperlink is taking you to a website outside of Dell Technologies.

Additional Information

References

TPM interposer research:

Legal Information

Article Properties

Affected Product

Product Security Information

Last Published Date

27 Feb 2024

Version

5

Article Type

Security KB

Back to Top