Trusted Platform Module 2.0 in Windows 11

TPM 2.0 hardware security modules are required for computers with the Windows 11 logo. Such modules have been installed for years, but they are available in different versions, the module is not activated on every computer and sometimes it is TPM 1.2. We provide answers to the most frequently asked questions about Trusted Platform Modules.

A Trusted Platform Module (TPM) offers functions similar to a SmartCard, but is built into a computer, i.e. connected to the platform. The TPM serves as a separate root of trust independent of the main processor (CPU), main memory (RAM), mass storage device and operating system. To do this, it saves a secret value that never leaves the TPM, but serves as the root of a cryptographic certificate chain. The TPM can sign and check other digital certificates and generate secure keys. Finally, a TPM provides protected storage space, so-called Platform Configuration Registers (PCRs). The computer can store hashes in it, for example to detect tampering with the firmware.

A Trusted Platform Module (TPM) – here the TPM 2.0 chip SLB9665TT20 from Infineon – works as a hardware trust anchor in the computer independent of the CPU, RAM and operating system.

What is the difference between TPM 2.0 and fTPM 2.0?

Windows 11 can use both a TPM 2.0 and an fTPM 2.0. A TPM 2.0 is a separate (discrete) chip that is also soldered onto the mainboard or sits on a plug-in module. Infineon (IFX), STMicroelectronics (STM) and Nuvoton supply certified TPM 2.0 chips. The “f” in fTPM, on the other hand, stands for “Firmware” (Firmware-TPM); an fTPM is not a separate chip, but an integrated function block in a processor, system-on-chip (SoC) or mainboard chipset. Because the fTPM firmware runs on an embedded but separate microcontroller core, an fTPM also works independently of the CPU, RAM and mass storage device.

So far there have only been fTPMs according to the TPM 2.0 specification (fTPM 2.0), i.e. with the same range of functions as discrete TPM 2.0 chips. The latter are available in versions that meet stricter security standards, for example Common Criteria Elevated Assurance Level 4+ (CC EAL4 +).

More from c't magazine

More from c't magazine

More from c't magazine

More from c't magazine

How do I know if my system has a TPM 2.0?

If the TPM is active, Windows 10 lists it in the Device Manager under “Security Devices” and shows whether it is a TPM 1.2 or TPM 2.0 – but not whether it is an fTPM or a separate chip. The information under “Device security”, where a TPM appears as a “security chip”, is easier to decipher. Information on the “manufacturer” can be found under “Details on the security chip”. If it says “Intel”, “AMD” or “Qualcomm”, it is an fTPM; Otherwise it is a discrete chip – with one exception: In virtual machines (VMs) under Hyper-V, an emulated TPM (Virtual TPM, vTPM) can be switched on, which reports itself as a Microsoft product (manufacturer MSFT).

Under Windows 10, a TPM appears in the control panel under “Device security” as a “security chip”. Windows also shows “details” there, such as the manufacturer (here Infineon) and the “specification version” (2.0 for TPM 2.0). Unfortunately, crooked translations are annoying; “Proof” means “TPM Key Attestation”.

What is the difference between TPM 2.0 and TPM 1.2?

With TPM 1.2, only the outdated and cracked SHA-1 procedure was mandatory as the secure hash algorithm (SHA) and AES encryption was not mandatory. A TPM 2.0 must be able to handle SHA-256 and at least AES-128. In addition, the TPM 2.0 specification is more precise.

How do I activate the TPM in the BIOS setup?

If a TPM is soldered on or integrated into the hardware as an fTPM, but not visible under Windows, it may be possible to activate it using an option in the BIOS setup – but only if the respective mainboard manufacturer has provided for it. The necessary options can often be found in menus with names such as “Security”, “Security Chip” or “Platform Security”.

If a TPM is available, it may be possible to turn it on in the computer’s BIOS setup.

Since when do PCs, notebooks and tablets usually have a TPM 2.0?

The TPM 2.0 specification appeared in 2012, and Infineon announced the first compatible chips in 2013. Since then they have mainly been used in office computers with “vPro” hardware from Intel, later also in those with AMD Ryzen Pro, as well as in notebooks from the business series from HP (Elite), Dell (Latitude / Precision), Lenovo ( ThinkPad), Fujitsu (Lifebook) and Toshiba / Dynabook.

AMD has been installing the so-called Platform Security Processor (PSP, later “Secure Processor”) based on an ARM Cortex-A5 in all processors since 2014, starting with Beema / Mullins and Carrizo. At Intel, the fTPM has been running in the so-called Converged Security and Management Engine (CSME, formerly ME) of chipsets since the 100 series (Z170, Q170, H170, B150) for Core i-6000 (Skylake) from 2015. Also in ” Atom-Celerons “from 2014 (Bay Trail, Celeron N2000) are fTPMs, there in the Trusted Execution Engine (TXE). These fTPMs cannot always be actually used, but only if the necessary firmware is also on board and the BIOS switches them on. Some systems in turn have two TPMs, namely a TPM chip in addition to the fTPM.

Some computers with a discrete TPM 2.0 chip also have an fTPM, in this case one from AMD, which is installed in the Platform Security Processor (PSP).

Can I retrofit a TPM in my PC?

Some mainboards have header connectors (TPM headers) to retrofit a small breadboard with a TPM chip. However, the BIOS must be prepared for this and there are different designs and interfaces such as low pin count (LPC) interface, serial peripheral interconnect (SPI) or I2C. So you need a TPM card that matches the respective board.

What does Windows use the TPM for and what do I get from it?

The best-known use of a TPM under Windows is the hard disk or SSD encryption BitLocker, which is only available in the Pro and Enterprise versions of Windows. The key for the encryption can (but does not have to) be bound to the TPM (key sealing) in order to protect stored data if the storage medium has been separated from the system. Similar to BitLocker, the drive encryption “Automatic Device Encryption”, which the PCR 7 uses, works with tablets and 2-in-1 hybrids with “Modern Standby”.

A TPM can also be integrated into biometric authentication with Windows Hello for Business. In addition, since 2019 Microsoft, in cooperation with Dell, HP and Lenovo, has presented notebooks whose firmware should be better protected against manipulation (such as BIOS rootkits). These “Secured-Core PCs” use the TPM as the Dynamic Root of Trust for Measurement (DRTM). A TPM can also be used for the protection function virtualization-based security (VBS) and for cryptographic verification of the system status for access to cloud applications (Microsoft Azure Attestation).

What does a TPM have to do with the cryptographically secured start mode “UEFI Secure Boot”?

Nothing: UEFI Secure Boot alias “safe boot state” also works without TPM. Special bootloaders, which are used in some security software packages, for example, can integrate a TPM after booting in order to detect manipulation of the UEFI BIOS, see “DRTM” above.

Are there any TPM vulnerabilities?

In 2017, the “ROCA” vulnerability in the algorithm for generating RSA keys was discovered in Infineon’s TPM 1.2 chips. It was closed by firmware updates. In 2019, the “TPM-Fail” vulnerability in TPM 2.0 chips from STMicroelectronics and in fTPM implementations from Intel came to light; these were also closed with patches. TPM-Fail only affected the Elliptic Curve Digital Signature Algorithm (ECDSA).

Can Windows 11 also be used without a TPM?

This is currently (as of July 2021) still unclear. Microsoft requires a TPM 2.0 for computers with the Windows 11 logo. However, Windows 11 can also be installed on systems without TPM in another way. The consequences of this cannot yet be foreseen.

In c’t 16/2021 we tested the new tile-free Windows 11, explain its system requirements, the new store and how you can try the new preliminary version yourself for free. In a further focus we show why quantum computers threaten classical encryption. We also dedicate ourselves to the all-rounder USB-C, testing long cables, noise-canceling headphones and apps for back training. You will find issue 16/2021 from July 6th in Heise shop and at the well-stocked newspaper kiosk.


To home page