ISSUE

Information about differences, supported applications and features of TPM1.2, 2.0 and firmware-based TPM (fTPM).

RESOLUTION | Short

Trusted Platform Module (TPM) is an international standard for a secure cryptoprocessors that can securely store critical data such as passwords, certificates and encryption keys. TPM is a dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices and is used for secured crypto processes within computing devices as well as for secured storage of critical data. TPMs are typically used in business laptops, routers and embedded and IoT devices. The technical TPM specification was written by an industry consortium called Trusted Computing Group (TCG).

 

Popular types of TPM

• DISCRETE TPM (TPM 1.2 & TPM 2.0)
  Discrete TPM provides the highest level of security. The intent of this level is to ensure that the device it?s protecting does not get hacked via even sophisticated methods. To accomplish this, a discrete chip is designed, built and evaluated for the highest level of security that can resist tampering with the chip, including probing it and freezing it with all sorts of sophisticated attacks.
  
• INTEGRATED TPM
  Integrated TPM is the next level down in terms of security. This level still has a hardware TPM but it is integrated into a chip that provides functions other than security. The hardware implementation makes it resistant to software bugs, however, this level is not designed to be tamper-resistant.
  
• FIRMWARE TPM (fTPM)
  Firmware TPM is implemented in protected software. The code runs on the main CPU, so a separate chip is not required. While running like any other program, the code is in a protected execution environment called a trusted execution environment (TEE) that is separated from the rest of the programs that are running on the CPU. By doing this, secrets like private keys that might be needed by the TPM but should not be accessed by others can be kept in the TEE creating a more difficult path for hackers. In addition to the lack of tamper resistance, the downside to the TEE or firmware TPM is that now the TPM is dependent on many additional aspects to keep it secure, including the TEE operating system, bugs in the application code running in the TEE, etc.
  
• SOFTWARE TPM
  Software TPM can be implemented as a software emulator of the TPM. However, a software TPM is open to many vulnerabilities, not only tampering but also the bugs in any operating system running it. It does have key applications: it is very good for testing or building a system prototype with a TPM in it. For testing purposes, a software TPM could provide the right solution/approach.

 

For more details please check Microsoft TPM recommendation guide.

RESOLUTION | Detailed

TPM 1.2 vs 2.0

TPM 2.0 products and systems have important security advantages over TPM 1.2, including:

• The TPM 1.2 spec only allows for the use of RSA and the SHA-1 hashing algorithm.
• For security reasons, some entities are moving away from SHA-1. Notably, NIST has required many federal agencies to move to SHA-256 as of 2014, and technology leaders, including Microsoft and Google have announced they will remove support for SHA-1 based signing or certificates in 2017.
• TPM 2.0 enables greater crypto agility by being more flexible with respect to cryptographic algorithms.
• TPM 2.0 supports newer algorithms, which can improve drive signing and key generation performance. For the full list of supported algorithms, see the TCG Algorithm Registry. Some TPMs do not support all algorithms.
• For the list of algorithms that Windows supports in the platform cryptographic storage provider, see CNG Cryptographic Algorithm Providers.
• TPM 2.0 achieved ISO standardization (ISO/IEC 11889:2015).
• Use of TPM 2.0 may help eliminate the need for OEMs to make exception to standard configurations for certain countries and regions.
• TPM 2.0 offers a more consistent experience across different implementations.
• TPM 1.2 implementations vary in policy settings. This may result in support issues as lockout policies vary.
• TPM 2.0 lockout policy is configured by Windows, ensuring a consistent dictionary attack protection guarantee.
• While TPM 1.2 parts are discrete silicon components which are typically soldered on the motherboard, TPM 2.0 is available as a discrete (dTPM) silicon component in a single semiconductor package, an integrated component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s) - and as a firmware (fTPM) based component running in a trusted execution environment (TEE) on a general purpose SoC.

 

fTPM

Firmware-based TPM (fTPM) is a Trusted Platform Modules which is implemented in protected software. It operates using resources and context of a main CPU, so a separate chip is not required. Therefore own dedicated storage is not required.
fTPM relies on operating system to provide access to storage within the OS. Presence of an Endorsement Key (EK) certificate is one of the implications (of not having a own dedicated storage).

 

Supported applications and features

The following table defines which Windows features require TPM support.

 

 

Further information

• Troubleshoot the TPM
• TPM Group Policy settings
• TPM recommendations

*with reference to: https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/