Trusted Platform Module

Updated on Oct 04, 2024

Edit

Comment

Trusted Platform Module (TPM) is an international standard for a secure cryptoprocessor, which is a dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices. TPM's technical specification was written by a computer industry consortium called Trusted Computing Group (TCG). International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) standardized the specification as ISO/IEC 11889 in 2009.

TCG continues to revise the TPM specification. It published revision 116 of the version 1.2 of TPM specification on March 3, 2011, while the draft revision 1.07 of the version 2.0 of TPM specification was published for public review on March 13, 2014 as a library specification that provides updates to the previously published main TPM specifications. Trusted Platform Module Library Specification Revision 01.16 was released in October 2014 as the latest TPM 2.0 release.

Overview

Trusted Platform Module offers facilities for the secure generation of cryptographic keys, and limitation of their use, in addition to a random number generator. It also includes capabilities such as remote attestation and sealed storage, as follows:

Remote attestation – creates a nearly unforgeable hash key summary of the hardware and software configuration. The program hashing the configuration data determines the extent of the summary of the software. This allows a third party to verify that the software has not been changed.

Binding – encrypts data using TPM bind key, a unique RSA key descended from a storage key.

Sealing – encrypts data in a similar manner to binding, but in addition specifies a state in which TPM must be, in order for the data to be decrypted (unsealed).

Software can use a Trusted Platform Module to authenticate hardware devices. Since each TPM chip has a unique and secret RSA key burned in as it is produced, it is capable of performing platform authentication.

Generally, pushing the security down to the hardware level in conjunction with software provides more protection than a software-only solution. However even where a TPM is used, a key would still be vulnerable while a software application that has obtained it from TPM is using it to perform encryption/decryption operations, as has been illustrated in the case of a cold boot attack. This problem is eliminated if key(s) used in TPM are not accessible on a bus or to external programs and all encryption/decryption is done in TPM.

Uses

The United States Department of Defense (DoD) specifies that "new computer assets (e.g., server, desktop, laptop, thin client, tablet, smartphone, personal digital assistant, mobile phone) procured to support DoD will include a TPM version 1.2 or higher where required by DISA STIGs and where such technology is available." The TPM is anticipated to be used for device identification, authentication, encryption, measurement, and device integrity.

An example of use is Intel's Trusted Execution Technology (TXT). Intel's TXT is used to create a "chain of trust", and to remotely attest that a computer has a specified hardware setup and is using specified software.

Platform integrity

The primary scope of a TPM (in combination with other TCG implementations) is to assure the integrity of a platform. In this context "integrity" means "behave as intended", and a "platform" is generically any computer platform – not limited to PCs or a particular operating system: start the power-on boot process from a trusted condition and extend this trust until the operating system has fully booted and applications are running.

Together with UEFI, TPM forms a "root of trust": TPM contains several PCRs (Platform Configuration Registers) that allow a secure storage and reporting of security relevant metrics. These metrics can be used to detect changes to previous configurations and derive decisions how to proceed. Good examples can be found in Linux Unified Key Setup (LUKS), and in Microsoft's BitLocker Drive Encryption and PrivateCore vCage memory encryption (see below).

Therefore, the BIOS and the operating system have the primary responsibility to utilize TPM in order to assure platform integrity. Only then can applications and users running on that platform rely on its security characteristics, such as secure I/O "what you see is what you get", uncompromised keyboard entries, memory and storage operations.

Disk encryption

Full disk encryption applications, such as SecureDoc, dm-crypt in modern Linux kernels, and BitLocker Drive Encryption in some versions of Microsoft Windows, can use this technology to protect the keys used to encrypt the computer's hard disks and provide integrity authentication for a trusted boot pathway (for example BIOS, boot sector, etc.) A number of third-party full-disk encryption products also support TPM.

Password protection

Access to keys, data or systems is often protected and requires authentication by presenting a password. If the authentication mechanism is implemented in software only, the access typically is prone to "dictionary attacks". Since TPM is implemented in a dedicated hardware module, a dictionary attack prevention mechanism was built in, which effectively protects against guessing or automated dictionary attacks, while still allowing the user a sufficient and reasonable number of tries. With this hardware based dictionary attack prevention, the user can opt for shorter or weaker passwords which are more memorable. Without this level of protection, only passwords with high complexity would provide sufficient protection.

Other uses and concerns

Almost any encryption-enabled application can, in theory, make use of a TPM, including:

digital rights management

protection and enforcement of software licenses

prevention of cheating in online games

Other uses exist, some of which give rise to privacy concerns. The "physical presence" feature of TPM addresses some of these concerns by requiring BIOS-level confirmation for operations such as activating, deactivating, clearing or changing ownership of TPM by someone who is physically present at the console of the machine.

TPM implementations

Starting in 2006, many new laptop computers have been sold with a built-in Trusted Platform Module chip. In the future, this concept could be co-located on an existing motherboard chip in computers, or any other device where the TPM facilities could be employed, such as a cell phone. On a PC, either the LPC bus or the SPI bus is used to connect to the TPM.

Many manufacturers make TPMs. The Trusted Computing Group has certified TPMs manufactured by Infineon Technologies, Nuvoton, and STMicroelectronics. The Trusted Computing Group has assigned TPM vendor IDs to Advanced Micro Devices, Atmel, Broadcom, IBM, Infineon, Intel, Lenovo, National Semiconductor, Nationz Technologies, Nuvoton, Qualcomm, Rockchip, Standard Microsystems Corporation, STMicroelectronics, Samsung, Sinosun, Texas Instruments, and Winbond.

There are five different types of TPM 2.0 implementations: discrete TPMs (dTPM), integrated TPMs, firmware TPMs (fTPM), software TPMs, and virtual TPMs. Discrete TPMs are chips that implement TPM functionality and nothing else, and are in their own semiconductor package. These implement their functions in hardware to resist software bugs and implement tamper resistance. They are therefore the most secure type of TPM. Integrated TPMs are part of another chip that implements other functionalities. While they use hardware that resists software bugs, they are not required to implement tamper resistance. Intel has integrated TPMs in some of its chipsets. Firmware TPMs are software-only solutions that run in a CPU's trusted execution environment. Firmware TPMs are dependent on the trusted execution environments that they run within for security beyond what the normal execution environment provides. Since these TPMs are entirely software solutions, these TPMs are vulnerable to software bugs within themselves. AMD and Qualcomm have implemented firmware TPMs. Software TPMs are software emulators of TPMs that run with no more protection than a regular program gets within an operating system. They depend entirely on the environment that they run in, so they provide no more security than what can be provided by the normal execution environment, and they are vulnerable to their own software bugs. They are useful for development purposes. Virtual TPMs are provided by a hypervisor. These are therefore reliant on the hypervisor for security beyond the execution environment provided to the software running inside the virtual machine and therefore provides a security level similar to a firmware TPM.

TPM 1.2 vs TPM 2.0

While TPM 2.0 addresses many of the same use cases and has similar features, the details are different. TPM 2.0 is not backward compatible to TPM 1.2.

The TPM 2.0 policy authorization includes the 1.2 HMAC, locality, physical presence, and PCR. It adds authorization based on an asymmetric digital signature, indirection to another authorization secret, counters and time limits, NVRAM values, a particular command or command parameters, and physical presence. It permits the ANDing and ORing of these authorization primitives to construct complex authorization policies.

Criticism

TCG has faced resistance to the deployment of this technology in some areas, where some authors see possible uses not specifically related to Trusted Computing, which may raise privacy concerns. The concerns include the abuse of remote validation of software (where the manufacturer‍—‌and not the user who owns the computer system‍—‌decides what software is allowed to run) and possible ways to follow actions taken by the user being recorded in a database, in a manner that is completely undetectable to the user.

Another limitation raised by TrueCrypt developers is that a TPM cannot be relied upon for security, because if the attacker has physical or administrative access to a computer and you use it afterwards, the computer could have been modified by the attacker: e.g., a malicious component—such as a hardware keystroke logger—could have been used to capture the password or other sensitive information. Since the TPM does not prevent an attacker from maliciously modifying a computer, VeraCrypt (a successor to TrueCrypt) will not support TPM.

Availability

Currently TPM is used by nearly all PC and notebook manufacturers, primarily offered on professional product lines.

TPM is implemented by several vendors:

Advantech provides TPM on many of its products, especially its Gaming boards and Energy Automation Computers.

In 2006, with the introduction of first Macintosh models with Intel processors, Apple started to ship Macs with TPM. Apple never provided an official driver, but there was a port under GPL available. Apple has not shipped a computer with TPM since 2006.

Atmel manufactures TPM devices that it claims to be compliant to the Trusted Platform Module specification version 1.2 revision 116 and offered with several interfaces (LPC, SPI, and I2C), modes (FIPS 140-2 certified and standard mode), temperature grades (commercial and industrial), and packages (TSSOP and QFN). Atmel's TPMs support PCs and embedded devices. Atmel also provides TPM development kits to support integration of its TPM devices into various embedded designs.

Google includes TPMs in Chromebooks as part of their security model.

Infineon provides both TPM chips and TPM software, which is delivered as OEM versions with new computers, as well as separately by Infineon for products with TPM technology which complies to TCG standards. For example, Infineon licensed TPM management software to Broadcom Corp. in 2004.

Microsoft operating systems Windows Vista and later use the chip in conjunction with the included disk encryption component named BitLocker. Microsoft has announced that from January 1, 2015 all computers will have to be equipped with a TPM 2.0 module in order to pass Windows 8.1 hardware certification. However, in a December 2014 review of the Windows Certification Program this requirement was changed to optional. However, TPM 2.0 is required for connected standby systems. Virtual machines running on Hyper-V can have their own virtual TPM module starting with Windows 10 1511 and Windows Server 2016.

In 2011, Taiwanese manufacturer MSI launched its Windpad 110W tablet featuring an AMD CPU and Infineon Security Platform TPM, which ships with controlling software version 3.7. The chip is disabled by default but can be enabled with the included, pre-installed software.

Nuvoton provides TPM devices implementing Trusted Computing Group (TCG) version 1.2 and 2.0 specifications for PC applications. Nuvoton also provides TPM devices implementing these specifications for embedded systems and IoT (Internet of Things) applications via I2C and SPI host interfaces. Nuvoton's TPM complies with Common Criteria (CC) with assurance level EAL 4 augmented, FIPS 140-2 level 1 and TCG Compliance requirements, all supported within a single device.

Oracle ships TPMs in their recent X- and T-Series Systems such as T3 or T4 series of servers. Support is included in Solaris 11.

PrivateCore vCage uses TPM chips in conjunction with Intel Trusted Execution Technology (Intel TXT) to validate systems on bootup.

In mobile devices security, there are some alternatives to TPM; for example, TrustKernel's T6 secure operating system simulates the functionality of TPM in mobile devices using the ARM TrustZone technology.

VMware ESXi hypervisor has supported TPM since 4.x, and from 5.0 it is enabled by default.

Xen hypervisor has support of virtualized TPMs. Each guest gets its own unique, emulated, software TPM.

KVM, combined with QEMU, has support for virtualized TPMs. As of 2012, it supports passing through the physical TPM chip to a single dedicated guest, while it is planned to also provide emulated TPMs to guests.

There are also hybrid types; for example, TPM can be integrated into an Ethernet controller, thus eliminating the need for a separate motherboard component.

References

Trusted Platform Module Wikipedia

(Text) CC BY-SA

Contents