Uncategorized

Windows 10 new preboot security features

There’s a few new preboot-related features in recent builds of Microsoft Windows, excerpt of some of them below.

New features in Windows 10, version 1511:
* Credential Guard: Enable Credential Guard without UEFI lock. You can enable Credential Guard by using the registry. This allows you to disable Credential Guard remotely. However, we recommend that Credential Guard is enabled with UEFI lock. You can configure this by using Group Policy.
* Bitlocker: DMA port protection. You can use the DataProtection/AllowDirectMemoryAccess MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on.

* Bitlocker: New Group Policy for configuring pre-boot recovery. You can now configure the pre-boot recovery message and recover URL that is shown on the pre-boot recovery screen. For more info, see the Configure pre-boot recovery message and URL section in “BitLocker Group Policy settings.”
* New BCD events: Event ID 4826 has been added to track the following changes to the Boot Configuration Database (BCD): DEP/NEX settings, Test signing, PCAT SB simulation, Debug, Boot debug, Integrity Services, Disable Winload debugging menu
* New PNP events:  Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesn’t expect this type of action, such as a domain controller.
* TPM: Key Storage Providers (KSPs) and srvcrypt support elliptical curve cryptography (ECC).
* TPM: The following sections describe the new and changed functionality in the TPM for Windows 10: Device health attestation, Microsoft Passport support, Device Guard support, Credential Guard support […]

https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1507-and-1511
https://technet.microsoft.com/en-us/windows/release-info

Standard
Uncategorized

TPM: A Practical Guide (free ebook)

http://www.springer.com/us/book/9781430265832

It looks like this APress Open Book is also (or only) available via Springer now.

See also: https://firmwaresecurity.com/2016/12/19/apress-tpm-book-free-ebook-option/

Standard
Uncategorized

TPM firmware updates (and BiosSledgehammer)

The below tweet made me realize I’ve not been looking enough for TPM utilities. I’ve seen tools from HP, Dell, and Lenovo. Still looking for tools from other OEMs. The only community tool I can find is BiosSledgehammer, which only works on HP systems.

https://github.com/texhex/BiosSledgehammer

BiosSledgehammer: Automated BIOS update, TPM firmware update and BIOS settings for HP devices.

http://h20566.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c05381064

http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c05192291

http://www.dell.com/support/home/us/en/4/Drivers/DriversDetails?driverId=2105J

http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c05192291

http://support.lenovo.com/us/en/downloads/ds038226

https://www.dell.com/support/article/us/en/04/SLN300914/trusted-platform-module–tpm–upgrade-downgrade-process-for-windows-7-and-10-operating-system-upgrade-downgrade?lang=EN

Standard
Uncategorized

Finbarr’s TPM 2.0 PCR Tool

Finnbarr P. Murphy has a new blog post about a new UEFI-based TPM tool he’s written.

[…]By the way, if you have access to the Intel TXT (Trusted Execution Technology) EFI compliance testing toolkit, the included utility, pcrdump.efi, provides similar functionality to the utility described in this post.[…]

http://blog.fpmurphy.com/2017/01/uefi-utility-to-read-tpm-1-2-pcrs.html

See more of his UEFI Utilities:

https://firmwaresecurity.com/2016/03/08/fpmurphys-uefi-utilities-has-2016-fork/

https://github.com/fpmurphy/UEFI-Utilities

https://github.com/fpmurphy/UEFI-Utilities-2016

Standard
Uncategorized

James on Linux and TPM (and TouSerS)

James Bottomley has a new blog post on TPM v2 and Linux:

http://blog.hansenpartnership.com/tpm2-and-linux/

See his pervious blog posts for more on TPM and Linux.

Blogging aside, James also posted a TPM2 patch to TouSerS to allow support for OpenSSL:

[TrouSerS-tech] [PATCH 0/1] TPM2 engine support for openssl

This is a completed version of the original RFC.  It’s working now both on the TPM2 simulator and on real hardware (I’ve converted my laptop to TPM2).  I’ve updated it to use the latest version of the ASN.1 for the key format (still using a TCG OID). I have it building here (it’s what I’m currently using for my laptop VPNs):

https://build.opensuse.org/package/show/home:jejb1:Tumbleweed/openssl_tpm_engine

But note that this version also has experimental patches to activate the in-kernel TPM Resource Manager because for multiple applications TPM2 really doesn’t work well without one.  Since the patch for the RM is currently not upstream (yet), it’s not going to work unless you have a patched kernel.

More info:
https://lists.sourceforge.net/lists/listinfo/trousers-tech

Standard