Trusted Platform Module (Tpm)

What is TPM (Trusted Platform Module)?

TPM or Trusted Platform Module refers to the universal design standard for a secure crypto processor.

These are special types of microprocessors that are used for securing the hardware of the computer with the help of a cryptographic key created and integrated into it.

In technical terms, a TPM signifies the security chip embedded into a desktop or laptop computer. It is actually a lockbox for keys and performs as an encryption device responsible for boosting the overall security of the system.

Understanding TPM (Trusted Platform Module)

What is TPM

Trusted Platform Module is a specific type of technology that protects the computer.

TPM is embedded into the systems and can store different artefacts for authenticating the platform. These artefacts can protect anything, such as:

TPM is a concept of a computer industry consortium known as the Trusted Computing Group or TCG.

The main specification of TPM, version 1.2, was standardized by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2009 as ISO/IEC 11889:2009. It was then revised and finalized on March 3, 2011.

However, TCG continued upgrading it, and on April 9, 2014, came up with the major upgrade, the TPM Library Specification 2.0. Further errata, new commands and algorithmic additions were incorporated by the group in it, and in November 2019 the 2.0 version became ISO/IEC 11889:2015.

The group divides every new release into multiple parts consisting of a document comprising the new TPM specifications. These parts have different names and contents as follows:

The TPM usually provides the following:

All these help in performing trusted computing functions by the computer programs more securely with the help of the secret and unique Endorsement Key (EK) burned in as it is created.

Since it is embedded in hardware, it offers greater security than the protection offered by any software-only solution.

Vendors:

The TPM chips certified by the TCG are manufactured by different vendors who have been given TPM vendor IDs. Some of these vendors, in alphabetical order, are:

However, the official TCG reference execution of the TPM 2.0 specification was developed by Microsoft and licensed under the BSD License.

Its source code is available on GitHub. Microsoft also provides Linux autotools and a Visual Studio solution to build scripts.

Intel open-sourced the Trusted Platform Module 2.0 software stack in 2018 with support for Microsoft Windows and Linux.

Infineon, on the other hand, funded the development of the open source middleware of TPM, which brings together the TPM Software Stack (TSS) and the Enhanced System API (ESAPI) requirements of the TCG.

Read Also:  What is Cascade Lake Processor? (Explained)

It was promoted by the Fraunhofer Institute for Secure Information Technology (SIT).

The Software TPM 2.0 of IBM is however based on the Parts 3 and 4 of TPM specification as well as the source code of Microsoft.

The implementation is complete with a few additional files included. It is also licensed under the BSD License and the source code is available on GitHub and SourceForge.

Types:

There are typically five different types of Trusted Platform Module 2.0, and they are categorized based on the way they are implemented.

Here they are listed for you in order from the most secure ones to the least secure ones:

TPM 2.0:

The TPM 2.0 comes with similar features and addresses several similar use cases as the TPM 1.2, but the details are different in the following aspects:

Its authorization policy is significantly different from that of TPM 1.2 and includes the following:

In addition to that, authorization is granted on the basis of several other parameters or authorization primitives, such as:

TPM 2.0 allows constructing complex authorization policies by doing AND and OR on these authorization primitives.

Most importantly, TPM 2.0 is not backward compatible with TPM 1.2.

What Does the TPM Do?

The main job of the TPM is to provide protection against malware and other advanced cyberattacks at the hardware level.

It does a lot of things in order to ensure that your system is free from any vulnerabilities or external attacks. Some of the things that the TPM does include, but are not limited to, are:

Most importantly, the TPM ensures that the operating system is secure. This aspect is facilitated further due to the location of the TPM chip on the motherboard.

Since Windows is in control of the TPM when the system is booting, it helps in two ways, such as:

Therefore, TPM is very useful, especially in conjunction with other additional security technologies, such as:

The chip does not need any off-site authentication further or to correspond with any server to ensure that the system you are accessing is owned by you and that you are who you say you are.

What Happens if You Clear TPM?

If you clear the TPM, you will lose all those security and encryption keys, such as the sign-in PIN, smart card or others, that are created and related to it, along with the data protected by them.

It will also make your system vulnerable to cyberattacks. Most importantly, your system will not be able to meet the new TPM 2.0 requirements of Microsoft for the Windows 11 operating system.

Read Also:  What is 8th Generation Processor? Pros, Cons & More

Therefore, sticking with and upgrading to TPM 2.0 is very important to get deep, hardware-based security and other benefits such as:

Does Windows 10 Use TPM?

Yes, it does use TPM, and just like Windows 7, 8 or 11, the operating system also initializes and takes ownership of it automatically.

The security features of Windows are combined by Microsoft with the benefits offered by TPM to offer more practical security.

This combination offers specific security benefits to the system, such as:

Windows 10 typically supports TPM extensively helping mainly the laptops and desktop computers used in large organizations and meant to meet stringent IT security requirements.

It has, in fact, replaced the cumbersome smart cards that need to be inserted into a slot or tapped against a built-in wireless reader to verify that the system is not tampered with.

The efficiency of the TPM in protecting Windows PCs is very high.

It is not surprising that since July 2006 Microsoft actually requires TPM 2.0 support on all new systems that run on Windows 10 for desktop computers including the Home, Pro, Education, and Enterprise versions.

Similarly, Windows 11 operating system will also run only on computer systems that have TPM capabilities.

Do All Laptops Have TPM?

Yes, the laptop computers and even the desktop computers sold after 2006 usually come with a TPM chip soldered or attached permanently to the motherboard.

This chip is usually connected via the Serial Peripheral Interface (SPI) bus or the Low Pin Count (LPC) bus.

Ideally, TPMs initially used to come as standalone chips and were used mainly in the corporate computers since they required more security.

Customers then had to pay a premium to use this add-on feature. However, things changed in 2006 and thereafter.

However, if you do not see TPM in the security processor section, it may be disabled.

You can check it out on your Windows 10 system by following these steps:

Check the details there for the actual TPM version. It should be either 1.2 or 2.0.

You can also check it in Device Manager by typing “tpm.msc.” If it is disabled, all you have to do now is enable it.

How to Enable TPM in Windows 10?

It is quite easy to enable TPM in Windows 10, as it is with enabling Secure Boot, provided you know what to look for.

First, you will have to upgrade the motherboard and, if applicable, the UEFI BIOS firmware. Then you will have to make the changes in the UEFI in the Windows Settings.

The TPM firmware may be in place but it may not allow immediate access to it if the motherboard does not have BIOS support switched on by default.

In that case, you will have to update the Basic Input Output System (BIOS) or the Unified Extensible Firmware Interface (UEFI).

Therefore, before you begin and make any changes, make sure that you check with the owner’s manual of the motherboard provided by the manufacturer.

Be careful of the navigation as well as the language and terms because they may differ from one system to another.

Read Also:  What is Digital Signal Processor (DSP)? (Explained)

Here are a few important points to keep in mind before starting:

Now, to enable TPM through Windows 10, follow these steps:

When the system reboots directly to the UEFI BIOS, change the TPM settings.

You can also change the TPM settings when you turn on your computer for the first time.

For this, you will need to press the BIOS key command on startup and when you are in the UEFI BIOS, simply change the TPM settings.

Remember, the UEFI key command may vary from one motherboard to another, but usually it is F1, F2, F12, Esc, or Delete.

However, it is best to refer to the user manual of the motherboard to be sure and to get more details.

Is TPM in CPU or Motherboard?

Typically, TPM is a separate chip found on the motherboard, though there are a few manufacturers, such as AMD or Intel, who build the TPM 2.0 capability into the chipsets and not as a separate chip.

Most motherboards today come with firmware TPM built-in though there are a few off-the-shelf motherboards lacking the hardware TPM.

The TPM chip on the motherboard acts as a dedicated processor and stores the cryptographic key Rivest-Shamir-Adleman or RSA to authenticate hardware.

This form is much better than a dedicated crypto-processor because it can use the firmware stored somewhere else on the board for authentication and borrow the horsepower of the CPU to perform the cryptographic functions.

Ideally, there is a TPM header in many desktop motherboards that may be empty. This will allow you to add a discrete TPM on the board.

However, the newer CPUs from AMD and Intel may also have firmware-based TPM integrated into them. This actually makes TPM capability far more available to the users.

Will You Lose Data If You Enable TPM?

No, absolutely not. This is because TPM is just a mere secure enclave that offers security facilities but does nothing like encrypt the disk or prevent the system from booting.

Ideally, it is the place where the operating system programs like Bitlocker store the keys.

And, the TPM cannot do anything if the programs or operating system do not work with it.

Therefore, enabling the TPM will not affect data or make your files inaccessible.

Questions & Answers:

Can You Run Windows 11 without TPM?

Yes, you can run Windows 11 if only it is a clean install and does not allow bypassing its need for at least a dual-core processor.

You can do so by making some changes in the registry during the installation, especially to the RAM requirement.

It will work fine without it once it is upgraded, even without the supposed 8th generation requirement.

How to Update TPM?

It is quite easy to update TPM on a new computer system because it will already come with a TPM installed and running in it.

You will simply have to go to the System Settings, click on Security, choose Trusted Platform Module and update it.

Reboot the system after completing upgrading to so that changes take effect.

Can TPM be Hacked?

Usually, no, but in case of physical access to computers, the systems may be vulnerable to cold boot attacks even with the Trusted Platform Module activated, especially if it can be booted without needing a password from hibernation or shutdown.

Conclusion

Trusted platform Module ensures that the operating system is secure.

It helps the computer compare the notes based on the stored information in the locked-down TPM.

If everything matches, the bootup process starts as normal, otherwise, a red flag is raised if anything is amiss.