Trusted Platform Module 2.0 in Windows 11

TPM 2.0 hardware security modules are required for computers with the Windows 11 logo. Such modules have been installed for years, but they are available in different versions, the module is not enabled on all computers, and it is missing. sometimes acts of TPM 1.2. We provide answers to the most frequently asked questions about Trusted Platform Modules.

A Trusted Platform Module (TPM) offers functions similar to a SmartCard, but is integrated into a computer, i.e. connected to the platform. The TPM serves as a separate root of trust, independent of the main processor (CPU), main memory (RAM), mass storage device, and operating system. It does this by saving a secret value that never leaves the TPM, but serves as the root of a chain of cryptographic certificates. The TPM can sign and verify other digital certificates and generate secure keys. Finally, a TPM also provides protected storage space, called platform configuration registers (PCR). The computer can store hashes there, for example to detect firmware tampering.

A Trusted Platform Module (TPM) – here Infineon’s TPM 2.0 SLB9665TT20 chip – functions as a hardware trust anchor in the computer regardless of processor, RAM, and operating system.

What is the difference between TPM 2.0 and fTPM 2.0?

Windows 11 can use both TPM 2.0 and fTPM 2.0. A TPM 2.0 is a separate (discrete) chip that is also soldered to the motherboard or sits on a plug-in module. Infineon (IFX), STMicroelectronics (STM) and Nuvoton supply certified TPM 2.0 chips. The “f” in fTPM, on the other hand, stands for “Firmware” (Firmware-TPM); An fTPM is not a separate chip, but a functional block embedded in a processor, system on chip (SoC), or motherboard chipset. Because the fTPM firmware runs on an integrated but separate microcontroller core, an fTPM also operates independently of the processor, RAM, and mass storage device.

So far, there have only been fTPMs according to the TPM 2.0 specification (fTPM 2.0), i.e. with the same range of functions as discrete TPM 2.0 chips. These are available in versions that meet more stringent security standards, such as Common Criteria Elevated Assurance Level 4+ (CC EAL4 +).

More from c't magazine

More from c't magazine

More from c't magazine

More from c't magazine

How do I know if my system has TPM 2.0?

If the TPM is active, Windows 10 lists it in Device Manager under “Security devices” and indicates if it is a TPM 1.2 or TPM 2.0, but not if it is an fTPM or a separate chip. The information under “Device Security,” where a TPM appears as a “security chip,” is easier to decipher. You can find information about the “manufacturer” under “Security chip details”. If it says “Intel”, “AMD” or “Qualcomm”, it is an fTPM; Otherwise, it is a discrete chip – with one exception: in virtual machines (VMs) under Hyper-V, an emulated TPM (Virtual TPM, vTPM) can be enabled, which is presented as a Microsoft product ( manufacturer MSFT).

In Windows 10, a TPM appears in the Control Panel under “Device Security” as a “Security Chip”. Windows also displays “details” there, such as the manufacturer (here Infineon) and the “specification version” (2.0 for TPM 2.0). Unfortunately, crooked translations are boring; “Proof” means “TPM key attestation”.

What is the difference between TPM 2.0 and TPM 1.2?

With TPM 1.2, only the obsolete and cracked SHA-1 procedure was mandatory because the Secure Hash Algorithm (SHA) and AES encryption were not mandatory. A TPM 2.0 must be able to handle SHA-256 and at least AES-128. In addition, the TPM 2.0 specification is more precise.

How do I enable TPM in BIOS setup?

If a TPM is soldered or embedded in hardware as fTPM, but it is not visible in Windows, it may be possible to enable it using an option in BIOS setup, but only if the respective motherboard manufacturer has provided for it. The necessary options are often found in menus with names such as “Security”, “Security Chip”, or “Platform Security”.

If a TPM is available, it may be possible to enable it in the BIOS setup of the computer.

Since when do PCs, notebooks and tablets generally have TPM 2.0?

The TPM 2.0 specification appeared in 2012, and Infineon announced the first compatible chips in 2013. Since then, they have mainly been used in desktops with “vPro” hardware from Intel, later also in those with AMD. Ryzen Pro, as well as in laptops. from the professional series from HP (Elite), Dell (Latitude / Precision), Lenovo (ThinkPad), Fujitsu (Lifebook) and Toshiba / Dynabook.

AMD has been installing what is called the Platform Security Processor (PSP, later “Secure Processor”) based on an ARM Cortex-A5 in all processors since 2014, starting with Beema / Mullins and Carrizo. At Intel, the fTPM works in the so-called Converged Security and Management Engine (CSME, formerly ME) chipsets from the 100 series (Z170, Q170, H170, B150) for Core i-6000 (Skylake) from 2015. Also in “Atom-Celerons” from 2014 (Bay Trail, Celeron N2000) there are fTPMs, there in the Trusted Execution Engine (TXE). These fTPMs cannot always be actually used, but only if the necessary firmware is also integrated and the BIOS enables them. Some systems in turn have two TPMs, i.e. a TPM chip in addition to the fTPM.

Some computers with a discrete TPM 2.0 chip also have an fTPM, in this case one from AMD, which is installed in the Platform Security Chip (PSP).

Can I upgrade a TPM on my PC?

Some motherboards have header connectors (TPM headers) to upgrade a small breadboard with a TPM chip. However, the BIOS must be prepared for this and there are different designs and interfaces such as Low Pin Count Interface (LPC), Serial Peripheral Interconnect (SPI), or I2C. So you need a TPM card that matches the respective card.

Why is Windows using TPM and what do I get out of it?

The best-known use of a TPM in Windows is BitLocker hard drive or SSD encryption, which is only available in the Pro and Enterprise versions of Windows. The encryption key can (but should not) be linked to the TPM (key sealing) in order to protect the stored data if the storage medium has been separated from the system. Similar to BitLocker, the “Automatic Device Encryption” drive encryption used by PCR 7 works with tablets and 2-in-1 hybrids with “Modern Standby”.

A TPM can also be integrated with biometric authentication with Windows Hello for Business. In addition, since 2019, Microsoft, in cooperation with Dell, HP and Lenovo, presents laptops whose firmware should be better protected against manipulation (such as BIOS rootkits). These “secure kernel PCs” use TPM as the dynamic root of trust for measurement (DRTM). A TPM can also be used for Virtualization Based Security Protection (VBS) function and for cryptographic system state verification for cloud application access (Microsoft Azure Attestation).

What does a TPM have to do with “UEFI Secure Boot” cryptographically secure boot mode?

Nothing: The UEFI Secure Boot alias “secure boot state” also works without TPM. Special boot loaders, which are used in some security packages, for example, can embed a TPM after booting in order to detect manipulation of the UEFI BIOS, see “DRTM” above.

Are there any TPM vulnerabilities?

In 2017, the “ROCA” vulnerability in the RSA key generation algorithm was discovered in Infineon’s TPM 1.2 chips. It was shut down by firmware updates. In 2019, the “TPM-Fail” vulnerability in TPM 2.0 chips from STMicroelectronics and in fTPM implementations from Intel was revealed; these were also closed with patches. TPM-Fail only affected the Elliptical Curve Digital Signature Algorithm (ECDSA).

Can Windows 11 also be used without TPM?

This is currently (as of July 2021) still unclear. Microsoft requires TPM 2.0 for computers with the Windows 11 logo. However, Windows 11 can also be installed on systems without TPM in another way. We cannot yet foresee the consequences.

In c’t 16/2021, we tested the new Windows 11 without a tile, explain its system requirements, the new store, and how you can try the new preview version yourself for free. In another focus, we show why quantum computers threaten classical encryption. We’re also dedicated to versatile USB-C, testing long cables, noise-canceling headphones, and back training applications. You will find the number 16/2021 from July 6 in Heise store and the well-stocked newsstand.

(waiting line)