[metalcrow]

>TPM-based measured boot, combined with UEFI Secure Boot, can generate a cryptographically signed attestation ... This is not a complete solution (a sufficiently sophisticated attacker can potentially manipulate attestation)

I was not aware that attackers could potentially manipulate attestation! How could that be done? That would seemingly defeat the point of remote attestation.

[matheusmoreira]

See this for example:

https://tee.fail/

Defeating remote attestation will be a key capability in the future. We should be able to fully own our computers without others being able to discriminate against us for it.

[metalcrow]

Thank you for that link, that's super interesting! It looks like it's actually an architectural vulnerability in modern fTPMs, and considered out of scope by both Intel and AMD. So that's a reliable way to break attestation on even the most modern systems!

[torginus]

Sure, but the exploit presented doesn't really look practical for the everyman. And I'm not sure if it can be patched in HW/SW, and in any case this is just the first step to a fully fake secure boot.

[gruez]

The comms between the motherboard and the TPM chip isn't secured, so an attacker can just do a MITM attack and substitute in the correct values.

[halayli]

That doesn't sound accurate. The T in TPM stands for trust, the whole standard is about verifying and establishing trust between entities. The standard is designed with the assumption that anyone can bring in their scope and probe the ports. This is one of several reasons why the standard defines endorsement keys(EK).

[invokestatic]

Actually, it is completely true. The TPM threat model has historically focused on software-based threats and physical attacks against the TPM chip itself - crucially NOT the communications between the chip and the CPU. In the over 20 year history of discrete TPMs, they are largely completely vulnerable to interposer (MITM) attacks and only within the last few years is it being addressed by vendors. Endorsement keys don’t matter because the TPM still has to trust the PCR commands sent to it by the CPU. An interposer can replace tampered PCR values with trusted values and the TPM would have no idea.

[srjek]

It is correct, the measurement command to the TPM is not encrypted. So with MITM you can record the boot measurements, then reset and replay to any step of the boot process. Secrets locked to particular stages of boot are then exposed.

There is guidance on "Active" attacks [1], which is to set up your TPM secrets so they additionally require a signature from a secret stored securely on the CPU. But that only addresses secret storage, and does nothing about the compromised measurements. I also don't know what would be capable of providing the CPU secret for x86 processors besides... an embedded/firmware TPM.

[1] https://trustedcomputinggroup.org/wp-content/uploads/TCG_-CP...

[metalcrow]

That's fair, although aren't most TPMs nowadays fTPMs? No interceptable communication that way.

[Retr0id]

Until they require fTPMs, an attacker can just choose to use a regular TPM.

A more sophisticated attacker could plausibly extract key material from the TPM itself via sidechannels, and sign their own attestations.

[Charon77]

I remember there's a PCI device that's meant to be snooping and manipulating RAM directly by using DMA. Pretty much one computer runs the game and one computer runs the cheat. I think kernel anti cheats are just raising the bar while pretty much being too intrusive

[int_19h]

TFA explicitly describes those devices, and how anti-cheat developers are trying to handle this.

But the main point there is that this setup is prohibitively expensive for most cheaters.

[nextaccountic]

what about faulTPM? https://arxiv.org/abs/2304.14717

[edoceo]

Can a TPM be faked in a QEMU VM?

[invokestatic]

Technically yes, but it would produce an untrusted remote attestation signature (quote). This is roughly equivalent to using TLS with a self-signed certificate — it’s not trusted by anyone else. TPMs have a signing key that’s endorsed by the TPM vendor’s CA.

[kay_o]

We don't allow games to run in virtual machines and require TPM. Check TPM EK signing up to an approved manufacturer.

It is not "fake", a software TPM is real TPM but not accepted/approved by anticheat due to inability to prove its provenance

(Disclosure: I am not on the team that works on Vanguard, I do not make these decisions, I personally would like to play on my framework laptop)

[carefree-bob]

Yes! https://github.com/stefanberger/swtpm