LLMpediaThe first transparent, open encyclopedia generated by LLMs

Trusted Platform Module

Generated by DeepSeek V3.2
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: HP EliteBook Hop 4
Expansion Funnel Raw 61 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted61
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
Trusted Platform Module
Trusted Platform Module
Raimond Spekking · CC BY-SA 4.0 · source
NameTrusted Platform Module
CaptionA discrete TPM chip on a motherboard.
InventorTrusted Computing Group
ConnectivityLPC, I²C, SPI

Trusted Platform Module. A dedicated microcontroller designed to secure hardware through integrated cryptographic keys. The technology, standardized by the Trusted Computing Group, provides a root of trust for secure boot, disk encryption, and platform authentication. Its functions are increasingly integrated into modern operating systems like Microsoft Windows and platforms from Intel and AMD.

Overview

The concept emerged from the work of the Trusted Computing Group, an industry consortium including Intel, Microsoft, IBM, and Hewlett-Packard. It establishes a hardware-based root of trust, enabling systems to reliably report their software state, a process known as remote attestation. This capability is fundamental for advanced security architectures like Confidential Computing and is a requirement for features such as Windows 11 installation. The module operates independently from the main CPU and its primary operating system.

Technical specifications

The current standard is defined in the ISO/IEC 11889 specification. A TPM contains several cryptographic engines, including a RSA key generator, a SHA-1 and SHA-256 hashing engine, and a random number generator. It provides secure storage for sensitive data like endorsement keys and storage root keys. Physically, it can be a discrete chip connected via a LPC or I²C bus, or implemented as firmware (fTPM) within the CPU by vendors like AMD (PSP) and Intel (Management Engine).

Security features

Core capabilities include secure cryptographic key generation and storage, preventing keys from being exposed to the system's main memory. It enables measured boot, where each step of the bootloader sequence is cryptographically recorded in Platform Configuration Registers. This allows for integrity measurement to detect unauthorized changes. The module also facilitates binding data to a specific platform state and sealing data, such as BitLocker encryption keys, so it can only be decrypted when the system is in a trusted state.

Implementation and usage

Widespread adoption was driven by requirements from Microsoft for systems running Windows Vista and later. Major uses include enabling BitLocker Drive Encryption on Windows 10 and Windows 11, and FileVault on macOS. In enterprise environments, it is used for network access control via protocols like IEEE 802.1X. Cloud platforms like Microsoft Azure and Google Cloud Platform utilize virtual TPMs for virtual machine security. The module is also integral to implementing HSM-like functions in consumer devices.

Criticisms and vulnerabilities

Critics, including the Electronic Frontier Foundation, have raised concerns about potential for DRM enforcement and reduced user control. Technical vulnerabilities have been discovered, such as the ROCA vulnerability affecting Infineon libraries, and attacks like TPM-Fail which exploited timing leaks. Researchers have demonstrated cold boot attacks against some implementations, and the reliance on the deprecated SHA-1 algorithm in earlier versions has been a point of contention. The integration with proprietary firmware like the Intel Management Engine has also drawn scrutiny from security researchers. Category:Computer security Category:Computer hardware Category:Cryptography