Trusted Platform Module
In computing, Trusted Platform Module (TPM) is both the name of a published specification detailing a secure cryptoprocessor that can store cryptographic keys that protect information, and the general name of implementations of that specification, often called the "TPM chip" or "TPM Security Device". The TPM specification is the work of the Trusted Computing Group (TCG). The current version of the TPM specification is now 2.0, published on December 15, 2015. This specification is also available as the international standard ISO/IEC 11889:2015.
The Trusted Platform Module offers facilities for the secure generation of cryptographic keys, and limitation of their use, in addition to a random number generator. It also includes capabilities such as remote attestation and sealed storage.
- "Remote attestation" creates a nearly unforgeable hash-key summary of the hardware and software configuration. The program encrypting the data determines the extent of the summary of the software. This allows a third party to verify that the software has not been changed.
- "Binding" encrypts data using the TPM endorsement key, a unique RSA key burned into the chip during its production, or another trusted key descended from it.
- "Sealing" encrypts data in similar manner to binding, but in addition specifies a state in which the TPM must be in order for the data to be decrypted (unsealed).
Software can use a Trusted Platform Module to authenticate hardware devices. Since each TPM chip has a unique and secret RSA key burned in as it is produced, it is capable of performing platform authentication.
Generally, pushing the security down to the hardware level in conjunction with software provides more protection than a software-only solution. However even where a TPM is used, a key would still be vulnerable while a software application that has obtained it from the TPM is using it to perform encryption/decryption operations, as has been illustrated in the case of a cold boot attack. This problem is eliminated if key(s) used in the TPM are not accessible on a bus or to external programs and all encryption/decryption is done in the TPM.
The primary scope of a TPM (in combination with other TCG implementations) is to assure the integrity of a platform. In this context "integrity" means "behave as intended" and a "platform" is generically any computer platform – not limited to PCs or just Windows: Start the power-on boot process from a trusted condition and extend this trust until the OS has fully booted and applications are running.
Together with the BIOS, the TPM forms a Root of Trust: The TPM contains several Platform Configuration Registers (PCR) that allow a secure storage and reporting of security relevant metrics. These metrics can be used to detect changes to previous configurations and derive decisions how to proceed. A good example can be found in Microsoft's BitLocker Drive Encryption (see below).
Therefore the BIOS and the Operating System have the primary responsibility to utilize the TPM to assure platform integrity. Only then can applications and users running on that platform rely on its security characteristics such as secure I/O "what you see is what you get", uncompromised keyboard entries, memory and storage operations.
Full disk encryption applications, such as TrueCrypt, SecureDoc, the dm-crypt feature of modern Linux kernels and the BitLocker Drive Encryption feature of some Windows operating systems, can use this technology to protect the keys used to encrypt the computer's hard disks and provide integrity authentication for a trusted boot pathway (e.g. BIOS, boot sector, etc.). A number of third party full disk encryption products also support the TPM chip. TrueCrypt however decided not to use it.
Access to keys, data or systems is often protected and requires authentication by presenting a password. If the authentication mechanism is implemented in software only, the access typically is prone to 'dictionary attacks'. Since the TPM is implemented in a dedicated hardware module, a dictionary attack prevention mechanism was built in, which effectively prevents guessing or automated dictionary attacks, while still allowing the user a sufficient and reasonable number of tries. With this hardware based dictionary attack prevention, the user can opt for shorter or weaker passwords which are more memorable. Without this level of protection, only passwords with high complexity would provide sufficient protection.
Other uses and concerns
Almost any encryption-enabled application can, in theory, make use of a TPM, including:
Other uses exist, some of which give rise to privacy concerns. The "physical presence" feature of the TPM addresses some of these concerns by requiring BIOS-level confirmation for operations such as activating, deactivating, clearing or changing ownership of the TPM by someone who is physically present at the console of the machine.
Starting in 2006, many new laptop computers have been sold with a Trusted Platform Module chip built-in. In the future, this concept could be co-located on an existing motherboard chip in computers, or any other device where a TPM's facilities could be employed, such as a cell phone. On a PC, the LPC bus is used.
Trusted Platform Module microcontrollers are currently produced by:
- Infineon (Infineon TPM)
- Nuvoton (formerly Winbond)
- ITE (ITE TPM)
The Trusted Computing Group, the developers of the specification, has faced resistance in some areas to deploy this technology, especially in academia, where some authors still see possible uses not specifically related to Trusted Computing, which may raise privacy concerns. The concerns include the abuse of remote validation of software (where the manufacturer — and not the user who owns the computer system — decides what software is allowed to run) and possible ways to follow actions taken by the user being recorded in a database.
Countries where TPM cannot be legally deployed
Due to legal restrictions TPMs may not be deployed in a number of countries. Possible reasons for these legal restrictions include the fact that state security services may not be able to access data or keys secured with a TPM.
Currently TPM is used by nearly all PC and notebook manufacturers, primarily offered on professional product lines.
TPM is implemented by several vendors:
- Acer, Wipro, Asus, Dell, Inc., Gigabyte Technology, LG, Fujitsu, HP, Lenovo, MSI, Samsung, Sony, Eurocom Corporation, and Toshiba provide TPM integration on their devices.
- Infineon provides both TPM chips and TPM software, which is delivered as OEM versions with new computers, as well as separately by Infineon for products with TPM technology which complies to the TCG standards.
- Wave Systems offers a broad range of client and server software, which runs on all TPM chip-sets. For instance, this software is pre-installed on several models from Dell and Gateway.
- Microsoft's operating systems Windows Vista, Windows 7 and Windows 8 as well as Microsoft Windows Server starting from Windows Server 2008, use the chip in conjunction with the included disk encryption software named BitLocker.
- In 2006, with the introduction of the first Macintosh models with Intel processors, Apple started to ship Macs with TPMs. Apple never provided an official driver, but there was a port under GPL available. In 2009, Apple stopped shipping TPMs.
- Oracle ships TPMs in their recent X- and T-Series Systems such as the T3 or T4 series of servers. Support is included in Solaris 11.
- Hengzhi chip
- Next-Generation Secure Computing Base
- Trusted Computing
- Hardware Security Module
- Unified Extensible Firmware Interface
- "TCG TPM 2.0 Library Specification Now Available from ISO and the IEC". Trusted Computing Group. Retrieved 2016-01-03.
- "Benchmarking the True Random Number Generator of TPM Chips". Retrieved 2012-06-04.
- "TPM Main Specification Level 2 Version 1.2, Revision 116 Part 1 - Design Principles" (PDF). Retrieved 2012-06-14.
Our definition of the RNG allows implementation of a Pseudo Random Number Generator (PRNG) algorithm. However, on devices where a hardware source of entropy is available, a PRNG need not be implemented. This specification refers to both RNG and PRNG implementations as the RNG mechanism. There is no need to distinguish between the two at the TCG specification level.
- "tspi_data_bind(3) - Encrypts data blob". Trusted Computing Group. Retrieved 2009-10-27.
- "TPM Main Specification Level 2 Version 1.2, Revision 116 Part 3 - Commands" (PDF). Trusted Computing Group. Retrieved 2011-06-22.
- Siani Pearson, Boris Balacheff (2002). Trusted computing platforms:sds TCPA technology in context. Prentice Hall. ISBN 0-13-009220-7.
- "SetPhysicalPresenceRequest Method of the Win32_Tpm Class". Microsoft. Retrieved 2009-06-12.
- Stallman, Richard Matthew, "Can You Trust Your Computer", Project GNU, Philosophy, Free Software Foundation
- "Low Cost, Strong Authentication with TPM" (PDF). Trusted Computing Group. 2011. Retrieved 2011-08-11.
- "Deployment Planning for BitLocker Drive Encryption for Windows Vista". Microsoft TechNet. 2008. Retrieved 2011-08-11.
- "HP Trusted Platform Module". Hewlett-Packard. 2011. Retrieved 2011-08-11.
- Amit Singh: Trusted Computing for Mac OS X
- "Oracle Solaris and Oracle SPARC T4 Servers— Engineered Together for Enterprise Cloud Deployments" (PDF). Oracle Corporation. Retrieved 2012-10-12.
- "tpmadm manpage". Oracle Corporation. Retrieved 2012-10-12.
- Trusted Computing Group
- LWN: OLS: Linux and trusted computing
- GRC podcast: Trusted Platform Module (TPM) (TPM content starts 27 minutes 30 seconds in.)
- TPM Setup (for Mac OS X)
- Trusted Computing Group Bulletin on the Security of the Trusted Platform Module (TPM) February 2008
- Take Control of TCPA
- TPM Reset Attack
- Trusted platform motherboard having physical presence detection based on activation of power-on-switch
- White Paper by Intel Corporation and IBM Corporation Trusted Platforms