upvote

points

by gruez19 hours ago |
comments
upvoteby halayli18 hours ago|
next
[-]
That doesn't sound accurate. The T in TPM stands for trust, the whole standard is about verifying and establishing trust between entities. The standard is designed with the assumption that anyone can bring in their scope and probe the ports. This is one of several reasons why the standard defines endorsement keys(EK).
reply
upvoteby invokestatic18 hours ago|
parent|
next
[-]
Actually, it is completely true. The TPM threat model has historically focused on software-based threats and physical attacks against the TPM chip itself - crucially NOT the communications between the chip and the CPU. In the over 20 year history of discrete TPMs, they are largely completely vulnerable to interposer (MITM) attacks and only within the last few years is it being addressed by vendors. Endorsement keys don’t matter because the TPM still has to trust the PCR commands sent to it by the CPU. An interposer can replace tampered PCR values with trusted values and the TPM would have no idea.
reply
upvoteby srjek17 hours ago|
parent|
prev|
[-]
It is correct, the measurement command to the TPM is not encrypted. So with MITM you can record the boot measurements, then reset and replay to any step of the boot process. Secrets locked to particular stages of boot are then exposed.

There is guidance on "Active" attacks [1], which is to set up your TPM secrets so they additionally require a signature from a secret stored securely on the CPU. But that only addresses secret storage, and does nothing about the compromised measurements. I also don't know what would be capable of providing the CPU secret for x86 processors besides... an embedded/firmware TPM.

[1] https://trustedcomputinggroup.org/wp-content/uploads/TCG_-CP...

reply
upvoteby metalcrow19 hours ago|
prev|
[-]
That's fair, although aren't most TPMs nowadays fTPMs? No interceptable communication that way.
reply
upvoteby Retr0id19 hours ago|
parent|
next
[-]
Until they require fTPMs, an attacker can just choose to use a regular TPM.

A more sophisticated attacker could plausibly extract key material from the TPM itself via sidechannels, and sign their own attestations.

reply
upvoteby Charon7718 hours ago|
parent|
[-]
I remember there's a PCI device that's meant to be snooping and manipulating RAM directly by using DMA. Pretty much one computer runs the game and one computer runs the cheat. I think kernel anti cheats are just raising the bar while pretty much being too intrusive
reply
upvoteby int_19h13 hours ago|
parent|
[-]
TFA explicitly describes those devices, and how anti-cheat developers are trying to handle this.

But the main point there is that this setup is prohibitively expensive for most cheaters.

reply
upvoteby edoceo18 hours ago|
parent|
prev|
[-]
Can a TPM be faked in a QEMU VM?
reply
upvoteby invokestatic18 hours ago|
parent|
next
[-]
Technically yes, but it would produce an untrusted remote attestation signature (quote). This is roughly equivalent to using TLS with a self-signed certificate — it’s not trusted by anyone else. TPMs have a signing key that’s endorsed by the TPM vendor’s CA.
reply
upvoteby kay_o18 hours ago|
parent|
prev|
next
[-]
We don't allow games to run in virtual machines and require TPM. Check TPM EK signing up to an approved manufacturer.

It is not "fake", a software TPM is real TPM but not accepted/approved by anticheat due to inability to prove its provenance

(Disclosure: I am not on the team that works on Vanguard, I do not make these decisions, I personally would like to play on my framework laptop)

reply