bug of the "bootloaderfw.efi" (the new version installed with Windows 11)

Split from this thread.

I can confim after looking at TPM events posted in the eventviewer, that Windwos 11 does not comply to TPM specifications.

Notably it repeatedly attempts to use a "TPM2_Import" (code=342=0x342) command to import a new cryptographically hierarchy, but that command gets returned an error code RC_VALUE+4 (code=1220=0x4C4).

According to TCG specs about the "TPM2_Import" primitive API, this RC error code means that:

nonempty inSymSeed and its numeric value is greater than the modulus of the key referenced by inSymSeed, or
inSymSeed is larger than the size of the digest produced by the name algorithm of the symmetric key referenced by inSymSeed .

Effectively, Windows selects the incorrect profile and attempts to use the TPM1.2 profile using the 1st bank of PCRs (using SHA1), instead of the second bank (SHA256).

The first PCRs bank (legacy SHA1 for TPM1.2, which may be used with TPM2 as well but is not recommended) is NOT provisioned by the UEFI BIOS which has correctly provisioned the 2nd PCRs bank (SHA2, the one that even windows 11 recommends). This of course does not work because the hash for the SHA256 hierarchy that Windows attempts to extend by this import (in PCR[7] at UEFI preboot, and PCR[11] later inside the OS) has an incorrect size (the SHA256 hash *requires* more bytes than SHA1) for the selected profile.

Then it attemps to fallback using SHA1, but this fails as well because the legacy SHA1 bank has not been provisioned on the TPM by the UEFI BIOS (the 16 PCR registers for the UEFI firmware in that bank are cleared, the 7 next registers are filled with 0xFF, meaning uninitiliazed, and the last 24th register is clear).

I don't know why Microsoft does not select the correct profile after looking at the TPM capabilities. This looks like an incorrect use of the TPM API with TPM_Initialize. Resetting or clearing the TPM will have no effect.

Microsoft seems to (incorrectly) assume that *all* banks of the TPM should be provisioned by the UEFI BIOS, but this is not a requirement in the TCG: an UEFI BIOS can (and even should) provision only the TPM banks that it needs for a given profile.

Microsoft does not seem to support multiple profiles for different OSes or applications on the same machine, and does not support the presence of multiple TPMs as well!

This is a bug of Windows 11 that did not exist in Windows 10. Microsoft has incorrectly simplified its implementation in Windows 11: it does not correctly look at the TPM capabilities, and just assumes that a discrete TPM will behave exactly like the weak fTPM implementations implemented by Intel in PTT (when using the fTPM inside the CPU), where Intel provisions both banks (SHA1 and SHA256).

It's not up to Microsoft to provision the 16 first registers in any PCR bank or to decide which one should be used: now there are new TPM specificaitons allowing several dozens of independant PCR banks (even if TPM1.2 only allowed one, and used a reduced set of algorithms, and only SHA1).

As well Microsoft still only supports the legacy FIFO/TIS interface, instead of the newer CRB interface (which allows selecting and using multiple banks at the same time for different purposes, and asynchronouly from each other, with huge performance gains in applications, something not possible with the legacy FIFO/TIS interface, where a default profile must be selected first to select the correct bank): Windows 11 does not use this CRB interface, and does not select the bank during initialization wit hthe legacy FIFO/TIS1.2 interface, so the first bank is used by default: it is SHA1 and not necessarily provisioned, and Windows does not have any fallback to use another compatible bank using the correct profile).

Microsoft should reread the TCG specs and not affirm things about security in Windows 11 that are demonstratedly wrong !

The following event spammed every second while Windows 11 is running is symptomatic:

<Event xmlns="**http://schemas.microsoft.com/win/2004/08/events/event**">

<System> <Provider Name="TPM" Guid="{1b6b0772-251b-4d42-917d-faca166bc059}" /><EventID>17</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2021-07-10T16:43:21.1503882Z" /><EventRecordID>17130</EventRecordID><Correlation /><Execution ProcessID="4" ThreadID="396" /><Channel>System</Channel><Computer>JUPITER</Computer><Security UserID="S-1-5-18" /></System>

<EventData> <Data Name="locationCode">0x1e0003b6</Data><Data Name="TpmCommandOrdinal">342</Data><Data Name="TpmResponseCode">1220</Data></EventData> </Event> (The interesting part is the "TmpCommandOrdinal" given here as a decimal value (342=0x156) and the response code.)

You can see yourself that the 1st PCR bank (SHA1) is selected but not provisioned and not suitable for SHA1, and that the attempt to use use for storing SHA256 hashes will fail (not compatible with the selected bank), by using "tpmtool.exe" or "tpmdiagnostics.exe" from an adminsitrator command line (where I have partly snipped the non-empty) hashes:

C:\WINDOWS\system32>TpmDiagnostics printpcrs

PCR bank: SHA1

PCR[00]: 0000000000000000000000000000000000000000

PCR[01]: 0000000000000000000000000000000000000000

PCR[02]: 0000000000000000000000000000000000000000

PCR[03]: 0000000000000000000000000000000000000000

PCR[04]: 0000000000000000000000000000000000000000

PCR[05]: 0000000000000000000000000000000000000000

PCR[06]: 0000000000000000000000000000000000000000

PCR[07]: 0000000000000000000000000000000000000000

PCR[08]: 0000000000000000000000000000000000000000

PCR[09]: 0000000000000000000000000000000000000000

PCR[10]: 0000000000000000000000000000000000000000

PCR[11]: 0000000000000000000000000000000000000000

PCR[12]: 2af205(snip)a32df

PCR[13]: 3f54c1(snip)826ee

PCR[14]: 0c2aa(snip)9bad3

PCR[15]: 0000000000000000000000000000000000000000

PCR[16]: 0000000000000000000000000000000000000000

PCR[17]: ffffffffffffffffffffffffffffffffffffffff

PCR[18]: ffffffffffffffffffffffffffffffffffffffff

PCR[19]: ffffffffffffffffffffffffffffffffffffffff

PCR[20]: ffffffffffffffffffffffffffffffffffffffff

PCR[21]: ffffffffffffffffffffffffffffffffffffffff

PCR[22]: ffffffffffffffffffffffffffffffffffffffff

PCR[23]: 0000000000000000000000000000000000000000

PCR bank: SHA256

PCR[00]: 7cbaaaa(snip)c38704b8

PCR[01]: 3d458cf(snip)f198e7969

PCR[02]: 3d458cf(snip)f198e7969

PCR[03]: 3d458cf(snip)f198e7969

PCR[04]: 18879d(snip)941184c1c

PCR[05]: 59f3cbd(snip)178fc289a

PCR[06]: 3d458cf(snip)f198e7969

PCR[07]: 625d66(snip)f733c8f4ff9

PCR[08]: 0000000000000000000000000000000000000000000000000000000000000000

PCR[09]: 0000000000000000000000000000000000000000000000000000000000000000

PCR[10]: 0000000000000000000000000000000000000000000000000000000000000000

PCR[11]: 0fe6e(snip)cdf310f980

PCR[12]: 0000000000000000000000000000000000000000000000000000000000000000

PCR[13]: 0000000000000000000000000000000000000000000000000000000000000000

PCR[14]: 0000000000000000000000000000000000000000000000000000000000000000

PCR[15]: 0000000000000000000000000000000000000000000000000000000000000000

PCR[16]: 0000000000000000000000000000000000000000000000000000000000000000

PCR[17]: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

PCR[18]: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

PCR[19]: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

PCR[20]: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

PCR[21]: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

PCR[22]: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

PCR[23]: 0000000000000000000000000000000000000000000000000000000000000000

PCR bank in use: SHA1

This is clearly a bug of the "bootloaderfw.efi" (the new version installed with Windows 11) reproduced as well in the post-boot UEFI loader and the new kernel after boot.

As you can see the PCR[0] to PCR[7]and PCR[11] were correctly provisioned by the UEFI BIOS in the SHA26 bank; Windows 11 does not use it and instead attempts to use the SHA1 bank only (even if it does not "support" it) to set PCR[12] to PCR[14] (not used by the UEFI BIOS even in secure mode), for use in Hyper-V running in legacy mode (based on the storage only, like with TPM1.2 with a single bank)

I still don't know if Windows 11 supports the CRB (strongly recommended) interface of the TPM2 chip, I think it uses only the FIFO/TIS interface (with poor performance) and only in synchronous mode (TPM2 has an asynchronous mode, best fitted for use with multiple banks and multiple profiles by many concurrent applications). This means that Windows 11 is far inferior to other OSes, including Windows 8/10, Windows Server 2012/2019, and all current Linux kernels.

The TPM2.0 protection in Windows 11 is an illusory protection. It just does not work at all for now and cannot be a "requirement" as announced ! Windows 11 is still based on a basic code implementation that only targets single TPM1.2 profiles (even if it uses the TPM2 API nothing was added to select the correct profile). All the rest has been silently dropped from Windows and so it only works with low-end tablets and notebooks (the same target as Windows 10 in S Mode... knowing Windows 11 wants to drop the "S Mode") with the lowest costs (without any real discrete TPM chip): just what Chinese manufacturers wanted. It is not made for serious desktops or servers.

But this code works when booting Windows 11 as a guest OS in a VM like vmWare (or even Hyper-V in Windows 11 !) because the hypervisor will typically implement a virtual fTPM with a single PCR bank for each hosted VM and in a single profile). This does not work on real hardware for the new version of Hyper-V running on bare metal where it can only use TPM1.2 with the basic profile for SHA1 and only endorsement of the storage hierarchy!

Visibly this limited vision of TPM2 is wrong, it is not what the TCG documented and prepared since years !