Logically, the controversy came to the fore and with good reason. When Intel Trusted Execution Technology or TXT came out for short, the company commented that it was a step forward in terms of security. And it was and is true, but as a result of this technology, what we know as Intel PTT or Platform Trust Technology.
This technology is the cause of the controversy, since as we already mentioned and as we learned from Intel Trusted Execution Technology (TXT) it is not a requirement for TPM, but Intel TXT is a function that TPM uses. So if Intel processors lack TXT, how can they be on Microsoft’s list for Windows 11 as compatible?
Intel TXT, PTT and TPM 2.0 Controversy for Windows 11
We are not going to go into what each technology is and does in itself since we have already commented on them in their corresponding articles, but roughly and directly quoting Intel, the company briefly defines it as follows:
Intel Trusted Execution Technology is a set of hardware extensions for Processors and Chipsets that enhance the platform with security capabilities such as Measured Launched Environment (MLE) and protected execution. It provides hardware-based mechanisms that help protect the computer against software-based attacks and maintain the confidentiality and integrity of data stored or created on the user’s or company’s PC.
It also provides these mechanisms by enabling an environment in which applications can run within their own space, protected from any other software on the system. These capabilities provide the protection mechanisms, embedded in the hardware, that are necessary to give confidence in the application execution environment. At the same time, these mechanisms can protect vital data and processes from being compromised by malicious software running on the PC.
As a result, Intel developed a method of encrypting information through firmware called Intel PTT, which is the subject of all the controversy. At first, Intel PTT was included within Intel TXT, so if you did not have the latter, it was not possible to have the first.
Intel PTT, why is it so sought after and coveted for Windows 11?
The problem lies in something very simple: Microsoft requires TPM 2.0 to install Windows 11 as a requirement, regardless of the hardware you have and which can meet the requirements. That is, if your PC falls within what Microsoft asks for, but does not have TPM 2.0, you will not be able to install Windows 11.
TPM 2.0 is an encryption technology on which Intel PTT is based precisely, with the exception that the first requires a physical chip installed or soldered on the motherboard of the laptop or desktop PC, while Intel PTT achieves the same function. but by software and firmware upgradeable by the company.
Therefore, if our laptop or PC does not have a TPM 2.0 chip and it also does not have Intel TXT, the technical documents said that it was not possible to get Intel PTT and therefore no Windows 11 installation is possible. But we have heard directly from the blue giant about a change that we had not seen in any DataSheet and that changes everything.
As Intel told us and we see reflected in a technical document on TXT for this 2021, since 2017 and subsequent platforms there have been changes in the MLE due to the convergence of the new Boot Guard and the TXT itself, so now Intel PTT although it depends on CPU boards and supports MEI with motherboard PCH via TPG.
This does not mean that if we change the CPU of the computer we will maintain the same encryption that we had, rather on the contrary, the new CPU will re-encrypt the data. In short and simplifying, since 2017 and after the release of the eighth generation of CPUs to the market, Intel divided TXT and PTT as two independent and complementary technologies, since when it was presented with Haswell it was not like that.
Therefore, this change affected the Core processors (important this detail, there are supported Celeron from the 4000 series and Pentium from the 5000 series) from the eighth generation onwards and therefore the previous ones are not validated as such. The problem is that Intel did not specify this change and only had the option in BIOS (selectable by the manufacturer and model of the board to taste) within the PCH-FW section (as a general rule).
Why is this not specified in any whitepaper?
For security, in fact, it is really difficult (if not impossible) to find information in the Intel DataSheets. Not even in the latest 2021 version of Trusted Execution Technology we can find something explanatory beyond a FLAG inside TXT.SCRATCHPAD – ACM_POLICY_STATUS, where Intel only names it in passing as an option to choose for the type of TPM detected by ACM. In it, option zero would be without TPM, one would be dTPM 1.2, option two is marked as dTPM 2.0 and option three leads to Intel PTT.
The level of security is such that apart from the official statement of the company there is no way to know exactly how it works for obvious reasons:
Intel Platform Trust Technology (Intel PTT): Intel Platform Trust Technology (Intel PTT) offers the capabilities of dTPM 2.0. Intel PTT is a platform functionality for credential storage and key management currently used by Windows 8 and Windows 10. Intel PTT supports BitLocker for hard drive encryption and supports all Microsoft requirements for firmware Trusted Platform Module (fTPM) 2.0.
And that’s it. Do not expect to find anything more than what is described in this article since there is no more information and that we have kicked 12 DataSheet being the last one of no less than 181 pages. This is why the information described here is so enlightening and therefore Microsoft’s CPU list is valid. This list was also expanded at the time, since not even they had this information until Intel provided it.
Recall that in its first version eighth-generation Core processors and many others did not appear. Finally, just clarify again that if our processor appears in this list, a TPM 2.0 chip is not necessary, except and only in the case that Intel PTT is not activated or cannot be activated in BIOS / UEFI, which is quite strange but that some case has been seen, such as hidden or directly non-existent options without the possibility of activation.
In these cases, many users are editing the BIOS to try to enable Intel PTT, since their processors support it and the option is simply not shown because the manufacturer did not want it. It is a method that requires knowledge and patience, risky to a great extent, but if we can do it, it can save us from buying a new computer. In any case and logically, we are not responsible for any damages that may occur if these practices are used.
