Trusted Platform Module

A Trusted Platform Module is a secure cryptoprocessor that implements the ISO/IEC 11889 standard. Common uses are verifying that the boot process starts from a trusted combination of hardware and software and storing disk encryption keys.
A TPM 2.0 implementation is part of the Windows 11 system requirements.

History

The first TPM version that was deployed was 1.1b in 2003.
Trusted Platform Module was conceived by a computer industry consortium called Trusted Computing Group. It evolved into TPM Main Specification Version 1.2 which was standardized by International Organization for Standardization and International Electrotechnical Commission in 2009 as ISO/IEC 11889:2009. TPM Main Specification Version 1.2 was finalized on 3 March 2011 completing its revision.
On April 9, 2014, the Trusted Computing Group announced a major upgrade to their specification entitled TPM Library Specification 2.0. The group continues work on the standard incorporating errata, algorithmic additions and new commands, with its most recent edition published as 2.0 in November 2019. This version became ISO/IEC 11889:2015.
When a new revision is released, it is divided into multiple parts by the Trusted Computing Group. Each part consists of a document that makes up the whole of the new TPM specification.

Part 1 Architecture
Part 2 Structures of the TPM
Part 3 Commands
Part 4 Supporting Routines
Version differences

While TPM 2.0 addresses many of the same use cases and has similar features, the details are different. TPM 2.0 is not backward compatible with TPM 1.2.

Specification	TPM 1.2	TPM 2.0
Architecture	A complete specification is intended to consist of a platform-specific protection profile which references a common three part TPM 1.2 library. In practice, only a PC Client protection profile was created for TPM 1.2. Protection profiles for PDA and cellular were intended to be defined, but were never published.	A complete specification consists of a platform-specific specification which references a common four-part TPM 2.0 library. Platform-specific specifications define what parts of the library are mandatory, optional, or banned for that platform; and detail other requirements for that platform. Platform-specific specifications include PC Client, mobile, and Automotive-Thin.
Algorithms	SHA-1 and RSA are required. AES is optional. Triple DES was once an optional algorithm in earlier versions of TPM 1.2, but has been removed from TPM 1.2 version 103. The MGF1 hash-based mask generation function that is defined in PKCS#1 is required.	The PC Client Platform TPM Profile Specification requires SHA-1 and SHA-256 for hashes; RSA, ECC using the NIST P-256 curve for public-key cryptography and asymmetric digital signature generation and verification; HMAC for symmetric digital signature generation and verification; 128-bit AES for symmetric-key algorithm; and the MGF1 hash-based mask generation function that is defined in PKCS#1. Many other algorithms are also defined but are optional. Note that Triple DES was added into the TPM 2.0 library, but with restrictions to reject weak keys. Also, elliptic cryptography Direct Anonymous Attestation using Barreto-Naehrig ECC curves which was mandatory in earlier versions has been made optional in the PC Client profile version 1.59.
Crypto Primitives	A random number generator, a public-key cryptographic algorithm, a cryptographic hash function, a mask generation function, digital signature generation and verification, and Direct Anonymous Attestation are required. Symmetric-key algorithms and exclusive or are optional. Key generation is also required.	A random number generator, public-key cryptographic algorithms, cryptographic hash functions, symmetric-key algorithms, digital signature generation and verification, mask generation functions, and exclusive or are required by the TCG PC Client Platform TPM Profile Specification. ECC-based Direct Anonymous Attestation using the Barreto–Naehrig 256-bit curve is optional for the TCG PC Client Platform TPM Profile Specification. The TPM 2.0 common library specification also requires key generation and key derivation functions.
Hierarchy	One	Three
Root keys	One	Multiple keys and algorithms per hierarchy
Authorization	HMAC, PCR, locality, physical presence	Password, HMAC, and policy.
NVRAM	Unstructured data	Unstructured data, counter, bitmap, extend, PIN pass and fail

The TPM 2.0 policy authorization includes the 1.2 HMAC, locality, physical presence, and PCR. It adds authorization based on an asymmetric digital signature, indirection to another authorization secret, counters and time limits, NVRAM values, a particular command or command parameters, and physical presence. It permits the ANDing and ORing of these authorization primitives to construct complex authorization policies.

Overview

The Trusted Platform Module provides:

A hardware random number generator
Facilities for the secure generation of cryptographic keys for limited uses.
Remote attestation: Creates a nearly unforgeable hash key summary of the hardware and software configuration. One could use the hash to verify that the hardware and software have not been changed. The software in charge of hashing the setup determines the extent of the summary.
Binding: Data is encrypted using the TPM bind key, a unique RSA key descended from a storage key. Computers that incorporate a TPM can create cryptographic keys and encrypt them so that they can only be decrypted by the TPM. This process, often called wrapping or binding a key, can help protect the key from disclosure. Each TPM has a master wrapping key, called the storage root key, which is stored within the TPM itself. User-level RSA key containers are stored with the Windows user profile for a particular user and can be used to encrypt and decrypt information for applications that run under that specific user identity.
Sealed storage: Specifies the TPM state for the data to be decrypted.
Other Trusted Computing functions for the data to be decrypted.

Computer programs can use a TPM for the authentication of hardware devices, since each TPM chip has a unique and secret Endorsement Key burned in as it is produced. Security embedded in hardware provides more protection than a software-only solution. Its use is restricted in some countries.

Uses

Platform integrity

The primary scope of TPM is to ensure the integrity of a platform during boot time. In this context, "integrity" means "behaves as intended", and a "platform" is any computer device regardless of its operating system. This is to ensure that the boot process starts from a trusted combination of hardware and software, and continues until the operating system has fully booted and applications are running.
When TPM is used, the firmware and the operating system are responsible for ensuring integrity.
For example, the Unified Extensible Firmware Interface can use TPM to form a root of trust: The TPM contains several Platform Configuration Registers that allow secure storage and reporting of security-relevant metrics. These metrics can be used to detect changes to previous configurations and decide how to proceed. Examples of such use can be found in Linux Unified Key Setup, BitLocker and PrivateCore vCage memory encryption.
Another example of platform integrity via TPM is in the use of Microsoft Office 365 licensing and Outlook Exchange.
Another example of TPM use for platform integrity is the Trusted Execution Technology, which creates a chain of trust. It could remotely attest that a computer is using the specified hardware and software.

Disk encryption

utilities, such as dm-crypt, can use this technology to protect the keys used to encrypt the computer's storage devices and provide integrity authentication for a trusted boot pathway that includes firmware and the boot sector.

Implementations

Laptops and notebooks

In 2006, new laptops began being sold with a built-in TPM chip. In the future, this concept could be co-located on an existing motherboard chip in computers, or any other device where the TPM facilities could be employed, such as a cellphone. On a PC, either the Low Pin Count bus or the Serial Peripheral Interface bus is used to connect to the TPM chip.
The Trusted Computing Group has certified TPM chips manufactured by Infineon Technologies, Nuvoton, and STMicroelectronics, having assigned TPM vendor IDs to Advanced Micro Devices, Atmel, Broadcom, IBM, Infineon, Intel, Lenovo, National Semiconductor, Nationz Technologies, Nuvoton, Qualcomm, Rockchip, Standard Microsystems Corporation, STMicroelectronics, Samsung, Sinosun, Texas Instruments, and Winbond.

TPM 2.0

There are five different types of TPM 2.0 implementations :

Discrete TPMs are dedicated chips that implement TPM functionality in their own tamper resistant semiconductor package. They are the most secure, certified to FIPS-140 with level 3 physical security resistance to attack versus routines implemented in software, and their packages are required to implement some tamper resistance. For example, the TPM for the brake controller in a car is protected from hacking by sophisticated methods.
Integrated TPMs are part of another chip. While they use hardware that resists software bugs, they are not required to implement tamper resistance. Intel has integrated TPMs in some of its chipsets.
Firmware TPMs are firmware-based solutions that run in a CPU's trusted execution environment. Intel, AMD and Qualcomm have implemented firmware TPMs.
Virtual TPMs are provided by and rely on hypervisors in isolated execution environments that are hidden from the software running inside virtual machines to secure their code from the software in the virtual machines. They can provide a security level comparable to a firmware TPM. Google Cloud Platform has implemented vTPM.
Software TPMs are software emulators of TPMs that run with no more protection than a regular program gets within an operating system. They depend entirely on the environment that they run in, so they provide no more security than what can be provided by the normal execution environment. They are useful for development purposes.