Announcement

Collapse
No announcement yet.

Windows 8 and TPM: a frustrating tale of astonishing stupidity

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Windows 8 and TPM: a frustrating tale of astonishing stupidity

    (thread renamed upon encouragement by Jerry )

    tl;dr version: Windows 8 automatically enables a Trusted Platform Module if it finds one. This is a change from Windows 7. If the manufacturer of your computer has already placed a certificate in the TPM, and that certificate has expired, then when Windows 8 activates the TPM, your computer's motherboard will brick itself.

    Lengthier message thread follows, anonymized and annotated.

    From: Alice (owner of an Intel Classmate laptop)
    So Windows 8 killed my Nobi. The Nobi is the Intel Classmate PC tablet that I travel with. The secure boot feature has apparently locked the BIOS from booting any OS at all. Even after the hard drive has been reloaded with Windows 7. They are telling me the only way out is a new motherboard. This is what I get for my trouble to join the Consumer Preview program.

    I would be very careful about loading Windows 8 onto any computer that is capable of using the secure boot feature. This one apparently is, but the certificate on the motherboard is expired and so Windows 8 has locked the BIOS somehow, someway. Interesting feature.
    [At this point, it's natural to assume, since the problem was caused by Windows 8, that the problem is related to UEFI secure boot. The real problem lies elsewhere.]

    From: Bob (small business computer consultant)
    I don't believe it to be the software that broke things. We have seen some strange behaviours on Intel's Spring Peak notebook line that uses similar "security" structures. Thus the RMA question as we have seen users locked out of their units because the onboard security measures kicked in.

    Intel's warranty period is normally three years. An Intel partner that participates in the Classmate PC program should be able to RMA it for you and get that board replaced.
    [I don't know what "security structures" are. Presumably Bob means the TPM here.]

    From: Alice
    The Nobi had a one year warranty which is probably two years past. They want $150 for a new board but the new board will have the same problem. I won’t be able to load Windows 8 on it ever.
    From: Bob
    Wow. I wonder if Intel is aware of the potential problem this could have as there are a lot of those ClassMate PCs out there? I stand corrected. Something bad going on between the OS and the TPM/security structures built into the motherboard.
    From: Charlie (OEM manufacturer and channel vendor)
    The BIOS cannot be flashed. The motherboard bricked when you tried to install Windows 8.

    I believe Intel is aware of this. I have forwarded your questions to them to answer. However, meanwhile there is no solution besides replacing the motherboard. The last time it happened, Intel simply told us Windows 8 is not compatible with this device therefore should not be loaded.
    From: Alice
    Here is where we stand. I could use some awesome Intel and Windows 8 contacts to help me get my Nobi back and help all of those schools (mainly) that also own the Classmate PCs and are about to have a huge problem.

    Since it's nearly free for schools and Windows 8 has the same specifications [as Windows 7] and it's made for tablets, I expect that they will [attempt to upgrade]. Or at least enough of them will that having student PCs turned into bricks that need new motherboards will be a publicity nightmare that could cost them the whole market. If anyone besides SBS [Small Business Server] people are known for talking to one another, it's schools.
    From: Debra (a well-connected member of the SBS community)
    Dustin Ingalls (author of the Building Windows 8 blog post "Protecting your digital identity") has reached out via the Win8 list and has asked to be introduced to Alice. He's not aware of any Intel based PC that can be bricked but wants to know the specs of exactly what it is.
    From: Alice
    I just talked to Dustin. He now understands the problem and why the system is bricked. Intel has installed a certificate in the TPM as an anti-theft measure. However, that certificate has now expired and the only way to get around it is to enter a ten-digit code which Intel is not giving up. Perhaps because they used the same ten-digit code on all seven million tablets -- time will tell. Windows 8 invoked this problem because it apparently automatically provisions the TPM chip should you have one. Since it did that, this caused the TPM to check its certificate and brick the system. This problem would not be unique to Windows 8, it could also occur if someone decided to enable TPM today in any OS. He is looking for the right person at Intel and is appalled at this implementation of TPM. So am I.
    [Note Alice's observation: Windows 7 will cause the same problem if the user attempts to enable the TPM and that TPM contains an expired certificate.]
    My thoughts... I have come to loathe hardware-based root of trust. Secure Boot and TPM present serious risks that can render hardware investments instantly useless and block access to your own information. These risks far outweigh the security risks that the technologies purport to mitigate.
    Last edited by SteveRiley; Apr 12, 2012, 12:05 PM.

    #2
    Originally posted by SteveRiley View Post
    My thoughts... I have come to loathe hardware-based root of trust. Secure Boot and TPM present serious risks that can render hardware investments instantly useless and block access to your own information. These risks far outweigh the security risks that the technologies purport to mitigate.
    I have an immediate 'gut feeling' that this will become a class action law suit, and that it will go all the way to the U.S. Supreme Court -- if manufactures don't take the measure to stop this practice.

    If I buy a PC, isn't it wholly mine!? Used to be it was. With this 'security measure' built into MOBOs, I am now, in effect, just 'renting' the PC. Not cool, man. Not cool at all. >
    Using Kubuntu Linux since March 23, 2007
    "It is a capital mistake to theorize before one has data." - Sherlock Holmes

    Comment


      #3
      I remember when I was trying to install a copy of Suse onto a Dell, back in about, 2005, to donate to a student and there was a hardware "security lock" that would not allow me to install anything but Windblows.

      At first I thought it was a problem with Suse, but then later, when visiting with the Johnnieman, may he rest in peace, and he told me about the hardware thing.

      I very, very, seldom got involved with ANY kind of Dell equipment after that.

      Later, the whole "clamshell" way of doing the computer looked tres kewl at first but soon revealed itself to be a great big headache.

      At some time after the aforesead discussion "the colleges" here started dumping the Dell clamshells into the auctions at a horrific pace because of the hardware problems in terms of being able to work on them physically, and later I found, because of a "lingering" version of that bios lockout problem.

      woodsmoke
      sigpic
      Love Thy Neighbor Baby!

      Comment


        #4
        Steve, do you know of a way to disable TPM in Win7, or to prevent it from being enabled?

        If this time bomb exists in my Win7 partition on this Acer I will never boot into Win7 again.

        I used to build my own desktop out of parts just to make one assuredly 100% Linux compatible. I wish there was a source of parts and components that would allow someone to build their own laptop out of unencumbered components.
        "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
        – John F. Kennedy, February 26, 1962.

        Comment


          #5
          Originally posted by GreyGeek View Post
          I wish there was a source of parts and components that would allow someone to build their own laptop out of unencumbered components.
          x1000
          Mark Your Solved Issues [SOLVED]
          (top of thread: thread tools)

          Comment


            #6
            Originally posted by GreyGeek View Post
            Steve, do you know of a way to disable TPM in Win7, or to prevent it from being enabled?

            If this time bomb exists in my Win7 partition on this Acer I will never boot into Win7 again.
            Windows 7 can enable the TPM, but you must explicitly do this either with a Control Panel applet or at the command line. The auto-enablement during install is a "feature" of Windows 8.

            BTW, TPMs don't virtualize now, so you're still safe if you want to install Windows 8 in a VM. Matter of fact, I'm beginning to think that virtualization will become the primary method we have to stop software from taking complete ownership of the hardware...

            Comment


              #7
              I'm thinking of renaming this thread... Windows 8 and TPM: a frustrating tale of astonishing stupidity

              Comment


                #8
                Originally posted by SteveRiley View Post
                I'm thinking of renaming this thread... Windows 8 and TPM: a frustrating tale of astonishing stupidity
                I'll second that!

                Originally posted by SteveRiley View Post
                Windows 7 can enable the TPM, but you must explicitly do this either with a Control Panel applet or at the command line. The auto-enablement during install is a "feature" of Windows 8.

                BTW, TPMs don't virtualize now, so you're still safe if you want to install Windows 8 in a VM. Matter of fact, I'm beginning to think that virtualization will become the primary method we have to stop software from taking complete ownership of the hardware...

                I installed Win8 as a VB guest OS when the Win8 beta was first made available for public download. It will expire next January. I kept the iso so I can re-install it if something goes fishy before January. I've only run it two or three times, enough to realize that the new interface is going to turn off a LOT of current Windows users just the way Unity turned off a lot of Gnome users. Navigating is tricky and there are no "sign posts" along the road. One just has to kick rocks and snap branches to see what works.
                "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
                – John F. Kennedy, February 26, 1962.

                Comment


                  #9
                  Does this apply only to motherboards from pre-built manufactures? Will the MB's we buy from Newegg not have this?

                  Comment


                    #10
                    Originally posted by Snowhog View Post
                    I have an immediate 'gut feeling' that this will become a class action law suit, and that it will go all the way to the U.S. Supreme Court -- if manufactures don't take the measure to stop this practice.

                    If I buy a PC, isn't it wholly mine!? Used to be it was. With this 'security measure' built into MOBOs, I am now, in effect, just 'renting' the PC. Not cool, man. Not cool at all. :mad:

                    +1 on that! :mad:

                    Comment


                      #11
                      Originally posted by SteveRiley View Post
                      Windows 7 can enable the TPM, but you must explicitly do this either with a Control Panel applet or at the command line. The auto-enablement during install is a "feature" of Windows 8.

                      BTW, TPMs don't virtualize now, so you're still safe if you want to install Windows 8 in a VM. Matter of fact, I'm beginning to think that virtualization will become the primary method we have to stop software from taking complete ownership of the hardware...
                      Steve, what do you think are the chances that Microsoft could send down and "update" that enables the TPM? (It sure would be a dirty way to force an upgrade to Win8)
                      "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
                      – John F. Kennedy, February 26, 1962.

                      Comment


                        #12
                        Originally posted by ScottyK View Post
                        Does this apply only to motherboards from pre-built manufactures? Will the MB's we buy from Newegg not have this?
                        I would imagine this problem affects only laptops/notebooks/netbooks. TPMs have little utility in desktop computers, although some desktop hardware aimed at the corporate market has included TPMs for a while. However, I just took a quick browse of some Asus motherboard specs and they lack TPMs, and I suspect it's because such manufacturers realize that TPMs are useless in the scenarios their products are used.

                        Originally posted by GreyGeek View Post
                        Steve, what do you think are the chances that Microsoft could send down and "update" that enables the TPM? (It sure would be a dirty way to force an upgrade to Win8)
                        That would be classified as a functionality change, which Microsoft hasn't done with service packs for some time now. I'd say it's unlikely that we'd see a mandatory Windows 7 download that would enforce the Windows 8 behavior with regards to the TPM.

                        Comment


                          #13
                          Good!
                          "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
                          – John F. Kennedy, February 26, 1962.

                          Comment


                            #14
                            Don't know about you all but I just had an issue trying to test WIN8 in a VBox VM. All of a sudden it complained that my system was not 64bit capable or VT capable and wouldn't even get to the install screen. Go back to my other 64 bit guest and they too started the same thing. Now, I know they worked before I started because I checked before starting WIN8. OK. What the H#$%! Took me a while after looking up information that led to nowhere but what I finally had to do was in BIOS turn off VT reboot completely into my system. Reboot and back in BIOS turn on VT. OK. I've never had that issue. Is it coincident that this just happen to occur while trying to test WIN8? I've grown cynical of M$ over the years and I can't help but think it truly had something to do with it. I've installed and used VMs for a long time on this machine and not once have I ever had to reset my BIOS. Hmmmmmm. Just don't know how to categorize this issue. Coincidence or not. Comments welcome to this issue as I truly want to test this so I have first hand information to comment either way and this issue actually has me already leaning to a negative opinion.



                            EDIT: Followed these instructions, no problems so far. http://www.addictivetips.com/windows...on-virtualbox/
                            Last edited by MoonRise; Apr 14, 2012, 12:11 PM.

                            Comment


                              #15
                              Well; what I was able to test didn't seem to fit what I've read about usability on a Desktop. Once you get to the Desktop mode, which isn't that hard, everything was intuitive as one is used to with WIN7. I was able to navigate rather well and even found how to shut down rather quickly unlike one report I read. The start menu is really all that changed and I can actually see the logic in the approach they took to try and be All for everyone and everything. One side note with this test. It is very easy to break WIN8. With Guest Addition install forced me to reinstall several times testing that. WIN8 thought something was broken and tried to repair but couldn't. Trying to find a sound configuration for VBOX and that guest goes very wrong as well. I'm going to chalk that up to it being a test and they have it "limited' somehow. Hope that isn't the new model where changing components causes mass havoc.

                              Comment

                              Working...
                              X