“Is anyone out there?” — Using physical presence to turn on the Trusted Platform Module (TPM)
Malicious software can lurk in the most humorous of dancing baby videos and cause havoc on your computer. To help protect against malware taking control of your computer's Trusted Platform Module (TPM) security hardware, computer manufacturers should follow recommendations from the Trusted Computing Group (TCG) to ship TPMs in the "off" state and require users to establish "physical presence" before turning on the TPM for the first time.
So what exactly does "physical presence" mean? Before Windows Vista appeared on the scene, computer manufacturers fleshed out this ghostly requirement by considering the ability to enter and navigate pre-boot (BIOS) setup menus as proof of physical presence. This approach guards against malware since it's harder to fool us into entering a BIOS setup menu than it is to have us click on a dancing baby video. Unfortunately, finding TPM settings in the BIOS isn't intuitive and in fact, varies widely with each computer model. Not knowing how to help you with this task, Vista's TPM Initialization Wizard would need to display a dialog that says something along the lines of, "Please refer to the BIOS section of your motherboard manual to enable and activate the TPM."
I wanted to resolve this dilemma. I felt strongly that understanding the BIOS should not be a prerequisite for using the TPM, and just as strongly that we must have a choice to turn on the TPM or not. With the help of others on the BitLocker team, I collaborated with industry partners to specify an interoperable BIOS firmware interface that simplifies establishing physical presence. With this firmware interface, you can configure the TPM using Vista wizards without knowing about the BIOS. When an action requires physical presence, Vista will set up the BIOS to automatically ask you to confirm your requested change on the next computer restart. As a result, you can quickly use your mere presence to turn on the TPM, but dancing babies cannot (unless, of course, you permit them to do so).
For more information on using physical presence to turn on the TPM:
For a related music selection:
Level 42 – “Turn It On” from the album “A Physical Presence (Live)” (1985)
— Xian Ke
P.S. Large enterprise customers that desire no-touch deployment—and who have a controlled deployment environment—can work with their preferred computer manufacturer to purchase computers that do not require an extra touch. For example, having the TPM already on removes the need to establish physical presence during an enterprise BitLocker deployment.
Comments
- Anonymous
March 02, 2014
link in the article is broken.