Showing posts with label TPM. Show all posts
Showing posts with label TPM. Show all posts

Friday, September 17, 2021

2021 09 17                                           Forte and Windows 11 

Windows 11 sort of sneaked up on me. My fault of course, not paying attention, but Microsoft says October 5, 2021, less than three weeks from today. We'll see. 

Microsoft did have an application called the "PC Health Check App," which could run on a destination computer and determine whether that computer met their Windows 11 requirements, but the scuttlebutt is that it was thoroughly flawed (with source code unavailable of course) and it has been withdrawn. As of today, September 17, the page for it still says "COMING SOON."  It's been coming soon for a while now.

However, there is a page on Microsoft.com which does purport to set forth the requirements for Windows 11.  Happily, there are others besides Microsoft who have read these requirements and put them in an application. In particular, there is a Windows application called WhyNotWin11.exe on GitHub: This app is open source and peer reviewed (unlike any Microsoft apps), written by by Robert Maehl, downloaded 869,000 times so far. Might be a good thing to support. 

WhyNotWin11.exe puts all of Microsoft's Windows 11 stated requirements into a nice display. You see two of those displays here. One is for a twelve-year-old HP Dv7t laptop, which has been updated from Windows Vista all the way to Windows 10. That one shows a lot of Windows 11 deficiencies. The other is for the Forte computer, built just this summer, showing no deficiencies. 

Bill of Materials
Of course even the old laptop might be upgraded to meet the Windows 11 requirements, and perhaps some of the requirements might not really be necessary to get Windows 11 running. For example, that ancient laptop has neither a discrete TPM nor a firmware TPM, but it has BitLocker encryption working just fine and quite securely on its (one and only) disk drive anyway. Experience will tell us what will actually work with Windows 11. 



Forte did initially have a deficiency, according to WhyNotWin11: The Vision Tech Radeon 5450 Graphics Card did not meet the Win 11 DirectX or WDDM requirements. Therefore that card has been replaced by the ASUS NVIDIA GT710 “4H SL 2GD5" Graphics Card, which I know will qualify and which is probably better anyway. See the revised Bill of Materials.

By the way, Forte is for sale. You can see what it cost, and I do expect to receive some benefit from my work in building it, so make me an offer. Note, however, that I will not ship it, and will only deliver it in the Twin Cities Minnesota metropolitan area. It can come with Windows 10 or Windows 11, your choice. Either way, it's a really hot computer!

Thursday, September 16, 2021

 2021 09 16                 Forte, ASUS BIOS Version 3801, and TPM             

                                                      BIOS Version 3801

This was installed in the motherboard on August 13, 2021, and as far as I can tell it behaves exactly the same on the Forte computer as did the Beta version 3703, which is  no longer downloadable. It feels now almost like a finished product. I also installed it on my main computer, Stirling 2021.

It still has the "Improved System Performance" bug described in an earlier post titled Forte Performance 002 and dated August 6, 2021, https://buildmyown.blogspot.com/2021/08/2021-08-06-performance-002-woohoo-asus.html, but that is not a problem for me. I just leave the "Improved System Performance" feature alone and use the Overclocking Presets instead. Specifically: BIOS > Extreme Tweaker > Overclocking Presets > (Load Generic OC Preset). The August 6 post mentioned above has more about that.

Again, here is the computer:

  • AMD Ryzen 9 5950X CPU with 16 cores and 32 threads, 7nm technology;
  • G Skill Trident Z Neo F4-4000 Memory 32GB;
  • ASUS ROG Crosshair VIII Dark Hero. Motherboard, BIOS Version 3801;
  • be quiet brand BK022 Dark Rock Pro 4 CPU cooler;
  • WD Black 1TB M.2 NVMe PCIe 4 Drive;
  • WD Gold 10TB Enterprise Class rotating SATA disk drive;
  • VisionTek Radeon 5450 Graphics card, BUT SEE NEXT POST.


                                                                 TPM

Some processors have a built-in firmware TPM (Trusted Platform Module), especially AMD processors I think. I did an experiment to see if my Ryzen 9 5950X processor has it: Remove the discrete TPM module from the motherboard, reboot with Advanced > Advanced\AMD fTPM configuration > Selects TPM Device > Enable Firmware TPM. The firmware is apparently in the processor, not the motherboard. After booting, run Manage BitLocker, then TPM Administration (lower left corner), then appears a window labeled TPM Management on Local Computer. 

There are options here, but if BitLocker is not to be used right away, you can just check to see that it's available. On mine, the Status window says "The TPM is ready for use."

In the window labeled "TPM Manufacturer Information" the following information is displayed, depending on which TPM is selected:

  • Firmware TPM: Mfgr Name: AMD,  Mfgr Version: 3.58.0.5,  Specification Version: 2.0
  • Discrete TPM: Mfgr Name: IFX,  Mfgr Version: 5.63.3353.0,  Specification Version 2.0
  1. Note that you may see different information.
  2. Note that the specification version must be 2.0 (or greater if greater exists). 
  3. Note also that a TPM will be required for Windows 11, coming soon. It must be available.
  4. Note that the Forte computer qualifies with two different TPMs.
  5. Note that you are not required to use BitLocker or either TPM. BitLocker is simply available if you want the additional security.

I'm not certain that the discrete TPM module provides any advantage over the processor's TPM during use, but it's removable, so if the drives are BitLocker encrypted and the computer is to be shipped somewhere or left idle for a time, the TPM module could be removed from the mobo and secured elsewhere. This would render the data on the computer quite useless. 

If the processor contains the active TPM, then a naughty party needs only the password to the computer (depending on the BitLocker setup), but if the discrete module contains the TPM, then the naughty party needs both the module and the password. I suggest you try this before you depend on it. 

Set Erase fTPM to Disable
WARNING: The two ASUS motherboards that I have will try to CLEAR the TPM when anything major is done, like updating the BIOS, setting the BIOS to its defaults, or even choosing the Overclocking Presets described above. Therefore, if any drives are BitLocker encrypted, then every time that you boot into the BIOS, the last thing to do before exiting the BIOS is check Advanced > Advanced\AMD fTPM configuration > "Erase fTPM NV for factory reset" and make sure that it says "Disabled." In case I forget this I have always UN-BitLockered (Decrypted) all drives before making any BIOS changes, to avoid the damage that might be caused by leaving that selection in the Enabled state.

Please please ALWAYS keep a record of BitLocker keys in a secure place, no matter what. If you like to think of yourself as a professional, and you lose your BitLocker keys, there is a good argument that you are not yet a professional. More about this in the blog post dated 2021 06 16. https://buildmyown.blogspot.com/2021/06/2021-06-16-security-ok-so-far-new.html


Wednesday, June 16, 2021

2021 06 16                                                      SECURITY 
OK So far the new computer will have: 
  • CPU: AMD Ryzen 9 5950X CPU, 16 cores & 32 threads 
  • Motherboard: ASUS ROG Crosshair VIII Dark Hero, PCIe 4.0 and more 
  • Windows 10 Pro, full version, USB 
  

But first some words about security: BitLocker is Microsoft's full-disk encryption facility, and it works. The computer must be and will be BitLocker compatible. It turns out that BitLocker has almost no impact on performance, even gaming performance, so that's not a downside. I think that the the mobo (motherboard) should probably have a header for a TPM (Trusted Platform Module), and the "Dark Hero" does. I'm not certain about actually using a TPM though, because I think that the CPU or the firmware may also provide the necessary BitLocker functions. If so, the separate TPM module would not be necessary. In fact, last I looked, new ones with the right updates were kind of hard to find. On a previous computer I enabled BitLocker with a tiny USB flash drive and no TPM. Important point: Even if the mobo is compatible and everything is in place, BitLocker doesn't have to be enabled. 
 
If you're not a BitLocker (or Microsoft) fan, or you don't have the Professional version of Windows, an excellent alternative is VeraCrypt, an open-source and thoroughly-audited facility which has both a full-disk encryption mode and a file-encryption mode. In fact, the best security may be found with a combination, where BitLocker is used to encrypt the whole disk, and the most precious individual files are further encrypted with VeraCrypt. Examples: A lawyer's client files, an engineering company's proprietary designs, the computer owner's social security numbers, bank accounts, and website logon passwords. I do use both BitLocker and VeraCrypt, plus several more. 
 
Please do not use the same password for BitLocker and VeraCrypt, or for anything else. That would entirely defeat the additional security. That's what a password vault is for, and there are some very good free ones.
 
In addition to BitLocker and VeraCrypt, there are other very useful encryption facilities. For example, I use Macrium Reflect to back up entire disk drives, and those output files can be encrypted. I'm sure that some of the competitive backup facilities can do the same. There is also a free and widely-used zipping app called 7Zip which is better than the Windows zipper in several ways, especially because its zipped output files can be encrypted. Here is a partial list of a few handy encrypting apps:
  • BitLocker (requires Windows 10 Pro) 
  • VeraCrypt (replaces TrueCrypt) 
  • 7Zip 
  • Macrium Reflect (or competitors) 
  • KeePass (password vault, or competitors) 
  • EFS (Windows "encrypting file system") 
  • Lots more ... 
Macrium Reflect
Please PLEASE do not lose your BitLocker keys! Or your VeraCrypt passwords or PIMs, or any other encryption keys. There is likely no recovery except for your backups, and only then if the backups are UNencrypted or you know THEIR keys. Losing the keys is the same as a disk crash. Obviously, it's not a clever plan to keep the only copy of your encryption keys WITHIN the encrypted files. Please please write the keys on paper, or in a file within an UNencrypted DVD or flash drive, and keep that in a safe place, like a bank safe deposit box or your best friend's top dresser drawer, several miles away. Note: If you have more than one disk, you will have more than one key. You must save all of them. 

No matter what you think, the keys are not safe in the residence (or office) where the computer is located. Period.
 
Here is an only-slightly tongue-in-cheek list of risks to keeping the keys in the residence: Theft, computer virus, ransomware, fire, flood, lightning, hurricane, tornado, sinkhole, earthquake, termites, C-drive failure, other drive failure, smoked motherboard, smoked CPU, BitLocker failure, other encryption failure, Covid-19, another pandemic, asteroid impact, ultra-Plinean volcanic eruption, lunar cataclysm, black hole consuming the earth, gamma-ray burst, nuclear explosions, coronal mass ejection, sun going nova, or bad luck. 
 
The point is: Some of these could actually happen, and some WILL happen to some people who don't have their keys. Please don't be one of those. My residence is not safe, and neither is yours.
 
There is no rule against keeping the keys in multiple places. It's a really good idea. 

Backup is even (far) more important than encryption, and we have said little about it here. There is much more to be said about security, but saved for another time. 

The next post will get back to building a computer.