In This Article
What is TPM (Trusted Platform Module)?
TPM or Trusted Platform Module refers to the universal design standard for a secure crypto processor.
These are special types of microprocessors that are used for securing the hardware of the computer with the help of a cryptographic key created and integrated into it.
In technical terms, a TPM signifies the security chip embedded into a desktop or laptop computer. It is actually a lockbox for keys and performs as an encryption device responsible for boosting the overall security of the system.
- The specification of TPM is created, managed and updated by the TCG or Trusted Computing Group and has been considered an ISO/IEC 11889 standard since 2009.
- Trusted Platform Module refers to a dedicated processor responsible for hardware-level encryption to allow using biometrics for encrypting data and logging in to Windows on the device.
- The TPM improves the security of the computer system and is used by BitLocker and Windows Hello to create and hold cryptographic keys securely and confirm that the firmware and operating system are not tampered with.
- Usually, it is a separate chip on the motherboard but the newer TPM 2.0 version allows Intel, AMD and other manufacturers to induce this TPM capability into the chipsets without needing a separate chip.
- There are five types of TPM 2.0 such as discrete, physical-based, firmware-based, software-based, and virtual TPMs.
Understanding TPM (Trusted Platform Module)
Trusted Platform Module is a specific type of technology that protects the computer.
TPM is embedded into the systems and can store different artefacts for authenticating the platform. These artefacts can protect anything, such as:
- Any important information of the users
TPM is a concept of a computer industry consortium known as the Trusted Computing Group or TCG.
The main specification of TPM, version 1.2, was standardized by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2009 as ISO/IEC 11889:2009. It was then revised and finalized on March 3, 2011.
However, TCG continued upgrading it, and on April 9, 2014, came up with the major upgrade, the TPM Library Specification 2.0. Further errata, new commands and algorithmic additions were incorporated by the group in it, and in November 2019 the 2.0 version became ISO/IEC 11889:2015.
The group divides every new release into multiple parts consisting of a document comprising the new TPM specifications. These parts have different names and contents as follows:
- Part 1 – The Architecture, formerly called the Design Principles
- Part 2 – The Structures of the TPM
- Part 3 – The Commands
- Part 4 – The Supporting Routines
The TPM usually provides the following:
- A generator for hardware random numbers
- Amenities to generate secure cryptographic keys for restricted uses
- Remote attestation with a nearly tamper-proof hash key summary of the software and hardware configuration
- Binding with the TPM bind key or the unique RSA key which encrypts data
- Sealing which states the TPM state of the data to be unsealed or decrypted.
All these help in performing trusted computing functions by the computer programs more securely with the help of the secret and unique Endorsement Key (EK) burned in as it is created.
Since it is embedded in hardware, it offers greater security than the protection offered by any software-only solution.
The TPM chips certified by the TCG are manufactured by different vendors who have been given TPM vendor IDs. Some of these vendors, in alphabetical order, are:
- Advanced Micro Devices or AMD
- IBM or International Business Machines
- National Semiconductor
- Nationz Technologies
- Standard Microsystems Corporation
- Texas Instruments
However, the official TCG reference execution of the TPM 2.0 specification was developed by Microsoft and licensed under the BSD License.
Its source code is available on GitHub. Microsoft also provides Linux autotools and a Visual Studio solution to build scripts.
Intel open-sourced the Trusted Platform Module 2.0 software stack in 2018 with support for Microsoft Windows and Linux.
Infineon, on the other hand, funded the development of the open source middleware of TPM, which brings together the TPM Software Stack (TSS) and the Enhanced System API (ESAPI) requirements of the TCG.
It was promoted by the Fraunhofer Institute for Secure Information Technology (SIT).
The Software TPM 2.0 of IBM is however based on the Parts 3 and 4 of TPM specification as well as the source code of Microsoft.
The implementation is complete with a few additional files included. It is also licensed under the BSD License and the source code is available on GitHub and SourceForge.
There are typically five different types of Trusted Platform Module 2.0, and they are categorized based on the way they are implemented.
Here they are listed for you in order from the most secure ones to the least secure ones:
- Discrete TPMs – These are dedicated and specific TPM chips and are perhaps the most secure type because it is less likely that they will have bugs in them. They are also tamper-resistant.
- Physical-based TPMs – These chips are typically integrated into the Central Processing Unit (CPU). They also come with better security mechanisms and tamper-resistant features.
- Firmware-based TPMs – This particular type of chip runs in the trusted execution environment of the CPU. These chips are considered to be as safe as the physical modules.
- Software-based TPMs – These particular chips do not offer any added security. They also run the risk of being attacked externally or containing bugs.
- Virtual TPMs – These TPM chips are offered by a hypervisor and are capable of retrieving security codes independently from a virtual machine.
The TPM 2.0 comes with similar features and addresses several similar use cases as the TPM 1.2, but the details are different in the following aspects:
- Crypto primitives
- Root keys
- Authorization process
Its authorization policy is significantly different from that of TPM 1.2 and includes the following:
- Physical presence
- HMAC or Hash Message Authentication Code
- PCR or Polymerase Chain Reaction
In addition to that, authorization is granted on the basis of several other parameters or authorization primitives, such as:
- Non Volatile Random Access Memory (NVRAM) values
- Asymmetric digital signature
- Indirection to a different authorization secret
- Counters to time limits
- Physical presence
- Specific command or command parameters
TPM 2.0 allows constructing complex authorization policies by doing AND and OR on these authorization primitives.
Most importantly, TPM 2.0 is not backward compatible with TPM 1.2.
What Does the TPM Do?
The main job of the TPM is to provide protection against malware and other advanced cyberattacks at the hardware level.
It does a lot of things in order to ensure that your system is free from any vulnerabilities or external attacks. Some of the things that the TPM does include, but are not limited to, are:
- DRM or Digital Rights Management
- Protection through Windows Defender
- Windows domain logon protection
- Enforcement and protection of software licenses
- Prevention of cheating in online games
- Storing critical and essential user information securely using cryptographic keys
- Enabling platform authentication
- Protection against ransomware and firmware attacks
- Holding secret keys to decrypt data and the encryption key for BitLocker
Most importantly, the TPM ensures that the operating system is secure. This aspect is facilitated further due to the location of the TPM chip on the motherboard.
Since Windows is in control of the TPM when the system is booting, it helps in two ways, such as:
- It verifies the reliability of Windows before the operating system loads to prevent loading one with malicious code.
- It helps the antivirus software to run on the operating system to deal with the malware.
- It prevents the rootkits from infecting the bootloader of the operating system or its kernel.
Therefore, TPM is very useful, especially in conjunction with other additional security technologies, such as:
- Antivirus software
- Biometric verification
- Smart cards
The chip does not need any off-site authentication further or to correspond with any server to ensure that the system you are accessing is owned by you and that you are who you say you are.
What Happens if You Clear TPM?
If you clear the TPM, you will lose all those security and encryption keys, such as the sign-in PIN, smart card or others, that are created and related to it, along with the data protected by them.
It will also make your system vulnerable to cyberattacks. Most importantly, your system will not be able to meet the new TPM 2.0 requirements of Microsoft for the Windows 11 operating system.
Therefore, sticking with and upgrading to TPM 2.0 is very important to get deep, hardware-based security and other benefits such as:
- Ensuring integrity of the platform with metrics capable of detecting changes made to previous configurations
- Generating, storing, and limiting the use of cryptographic keys
- Providing platform device authentication with the RSA key
- Mitigating ransomware, dictionary, firmware, and phishing attacks
- Protecting digital media rights with DRM technology
- Ensuring proper protection of software licenses
Does Windows 10 Use TPM?
Yes, it does use TPM, and just like Windows 7, 8 or 11, the operating system also initializes and takes ownership of it automatically.
The security features of Windows are combined by Microsoft with the benefits offered by TPM to offer more practical security.
This combination offers specific security benefits to the system, such as:
- Access control through biometric integrity using Windows Hello that supports fingerprint, face or iris scanners and facial recognition technology that supports EK of TPM
- Protection against dictionary brute-force attacks that can break into a computer network protected by a password by entering each word systematically in the dictionary as a password
- Encrypting logical volumes with BitLocker Drive Encryption to protect from cold boot attacks by using two-factor authentication
- Providing confirmation and entry to external resources through virtual smart cards
- Detecting malware through measured boot during boot sequences to ensure the proper starting state of Windows and its configuration settings
- Evaluating device health using proper health attestation with AIK or Attestation Identity Key certificates and by resolving measured boot data
- Protecting credentials by isolating them using credential guard based on virtualization security.
It has, in fact, replaced the cumbersome smart cards that need to be inserted into a slot or tapped against a built-in wireless reader to verify that the system is not tampered with.
The efficiency of the TPM in protecting Windows PCs is very high.
It is not surprising that since July 2006 Microsoft actually requires TPM 2.0 support on all new systems that run on Windows 10 for desktop computers including the Home, Pro, Education, and Enterprise versions.
Similarly, Windows 11 operating system will also run only on computer systems that have TPM capabilities.
Do All Laptops Have TPM?
Yes, the laptop computers and even the desktop computers sold after 2006 usually come with a TPM chip soldered or attached permanently to the motherboard.
This chip is usually connected via the Serial Peripheral Interface (SPI) bus or the Low Pin Count (LPC) bus.
Ideally, TPMs initially used to come as standalone chips and were used mainly in the corporate computers since they required more security.
Customers then had to pay a premium to use this add-on feature. However, things changed in 2006 and thereafter.
However, if you do not see TPM in the security processor section, it may be disabled.
You can check it out on your Windows 10 system by following these steps:
- Go to Start
- Click on Settings
- Choose Update and Security
- Select Windows Security
- Click on Device Security
- Select Security processor
Check the details there for the actual TPM version. It should be either 1.2 or 2.0.
You can also check it in Device Manager by typing “tpm.msc.” If it is disabled, all you have to do now is enable it.
How to Enable TPM in Windows 10?
It is quite easy to enable TPM in Windows 10, as it is with enabling Secure Boot, provided you know what to look for.
The TPM firmware may be in place but it may not allow immediate access to it if the motherboard does not have BIOS support switched on by default.
Therefore, before you begin and make any changes, make sure that you check with the owner’s manual of the motherboard provided by the manufacturer.
Be careful of the navigation as well as the language and terms because they may differ from one system to another.
Here are a few important points to keep in mind before starting:
- Follow the installation and update instructions of the firmware and drivers of the motherboard manufacturer to the last word to prevent disabling your computer system completely.
- Download BIOS or motherboard firmware and drivers only from the official website of the manufacturer directly to prevent installing bloatware and malware and to avoid system issues.
- Perform all operations within the UEFI and make sure you know what you are doing. Otherwise, take help from a professional. Remember, any wrong setting may affect the stability of your system.
Now, to enable TPM through Windows 10, follow these steps:
- Press and hold the Windows and X keys
- Select Settings on the Quick Link menu
- Type Advanced
- Click on Change advanced startup options
- Select Restart Now
- Select Choose an option window
- Select Troubleshoot
- Click on Advanced options
- Select UEFI Firmware Settings
When the system reboots directly to the UEFI BIOS, change the TPM settings.
You can also change the TPM settings when you turn on your computer for the first time.
For this, you will need to press the BIOS key command on startup and when you are in the UEFI BIOS, simply change the TPM settings.
Remember, the UEFI key command may vary from one motherboard to another, but usually it is F1, F2, F12, Esc, or Delete.
However, it is best to refer to the user manual of the motherboard to be sure and to get more details.
Is TPM in CPU or Motherboard?
Typically, TPM is a separate chip found on the motherboard, though there are a few manufacturers, such as AMD or Intel, who build the TPM 2.0 capability into the chipsets and not as a separate chip.
Most motherboards today come with firmware TPM built-in though there are a few off-the-shelf motherboards lacking the hardware TPM.
The TPM chip on the motherboard acts as a dedicated processor and stores the cryptographic key Rivest-Shamir-Adleman or RSA to authenticate hardware.
This form is much better than a dedicated crypto-processor because it can use the firmware stored somewhere else on the board for authentication and borrow the horsepower of the CPU to perform the cryptographic functions.
Ideally, there is a TPM header in many desktop motherboards that may be empty. This will allow you to add a discrete TPM on the board.
However, the newer CPUs from AMD and Intel may also have firmware-based TPM integrated into them. This actually makes TPM capability far more available to the users.
Will You Lose Data If You Enable TPM?
No, absolutely not. This is because TPM is just a mere secure enclave that offers security facilities but does nothing like encrypt the disk or prevent the system from booting.
Ideally, it is the place where the operating system programs like Bitlocker store the keys.
And, the TPM cannot do anything if the programs or operating system do not work with it.
Therefore, enabling the TPM will not affect data or make your files inaccessible.
Questions & Answers:
Can You Run Windows 11 without TPM?
Yes, you can run Windows 11 if only it is a clean install and does not allow bypassing its need for at least a dual-core processor.
You can do so by making some changes in the registry during the installation, especially to the RAM requirement.
It will work fine without it once it is upgraded, even without the supposed 8th generation requirement.
How to Update TPM?
It is quite easy to update TPM on a new computer system because it will already come with a TPM installed and running in it.
You will simply have to go to the System Settings, click on Security, choose Trusted Platform Module and update it.
Reboot the system after completing upgrading to so that changes take effect.
Can TPM be Hacked?
Usually, no, but in case of physical access to computers, the systems may be vulnerable to cold boot attacks even with the Trusted Platform Module activated, especially if it can be booted without needing a password from hibernation or shutdown.
Trusted platform Module ensures that the operating system is secure.
It helps the computer compare the notes based on the stored information in the locked-down TPM.
If everything matches, the bootup process starts as normal, otherwise, a red flag is raised if anything is amiss.