Trusted Platform Modules constitute an integral building block of modern security features. Moreover, as Windows 11 made a TPM 2.0 mandatory, they are subject to an ever-increasing academic challenge. While discrete TPMs - as found in higher-end systems - have been susceptible to attacks on their exposed communication interface, more common firmware TPMs (fTPMs) are immune to this attack vector as they do not communicate with the CPU via an exposed bus. In this paper, we analyze a new class of attacks against fTPMs: Attacking their Trusted Execution Environment can lead to a full TPM state compromise. We experimentally verify this attack by compromising the AMD Secure Processor, which constitutes the TEE for AMD's fTPMs. In contrast to previous dTPM sniffing attacks, this vulnerability exposes the complete internal TPM state of the fTPM. It allows us to extract any cryptographic material stored or sealed by the fTPM regardless of authentication mechanisms such as Platform Configuration Register validation or passphrases with anti-hammering protection. First, we demonstrate the impact of our findings by - to the best of our knowledge - enabling the first attack against Full Disk Encryption solutions backed by an fTPM. Furthermore, we lay out how any application relying solely on the security properties of the TPM - like Bitlocker's TPM- only protector - can be defeated by an attacker with 2-3 hours of physical access to the target device. Lastly, we analyze the impact of our attack on FDE solutions protected by a TPM and PIN strategy. While a naive implementation also leaves the disk completely unprotected, we find that BitLocker's FDE implementation withholds some protection depending on the complexity of the used PIN. Our results show that when an fTPM's internal state is compromised, a TPM and PIN strategy for FDE is less secure than TPM-less protection with a reasonable passphrase.

翻译：可信平台模块是现代安全功能的重要组成部分。随着Windows 11强制要求TPM 2.0，其面临的学术挑战日益增加。虽然高端系统中的独立TPM（dTPM）存在通过暴露通信接口被攻击的风险，但更常见的固件TPM（fTPM）因不通过暴露的总线与CPU通信而对此类攻击向量具有免疫性。本文分析了一类针对fTPM的新攻击：攻击其可信执行环境（TEE）可导致TPM状态完全泄露。我们通过攻破构成AMD fTPM之TEE的AMD安全处理器，对该攻击进行了实验验证。与以往dTPM嗅探攻击不同，此漏洞暴露了fTPM的完整内部TPM状态，使我们能提取fTPM存储或密封的任何加密材料，无论其是否采用平台配置寄存器验证或带防锤击保护的口令等认证机制。首先，我们通过首次实现（据我们所知）对基于fTPM的全盘加密解决方案的攻击，展示了研究成果的影响。其次，我们阐述了任何仅依赖TPM安全属性的应用程序（如BitLocker的TPM-only保护器）如何被物理接触目标设备2-3小时的攻击者攻破。最后，我们分析了该攻击对受TPM与PIN策略保护的FDE解决方案的影响。尽管简单实现会完全暴露磁盘，但BitLocker的FDE实现在所用PIN复杂度较高时仍能保留部分防护。研究结果表明，当fTPM内部状态被攻破时，针对FDE的TPM与PIN策略反而不如采用合理口令的无TPM保护方案安全。