Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob

What is a TPM? What is it used for?

What is a TPM? What is it used for?

250 sign-ins First comment on blog 50 solutions authored

In this blog series, we will understand the various use cases of a Trusted Platform Module (TPM) and how it can be interfaced with a Raspberry Pi.

Firstly, what is a TPM?

TPM is a discrete hardware component that goes into all modern computers, laptops, and some IoT devices. It essentially provides additional security features to the host controller it interacts with. You might have seen padlocks behind traditional desktop CPUs which were used for securing the hard disk residing in them. These locks can be easily broken to obtain the hard disk and steal the data stored on it.

To eliminate this risk, Microsoft Windows uses BitLocker drive   technology that encrypts the hard disk and all the data on it using the TPM chip. TPM essentially generates a random key and uses it to encrypt the key used for disk encryption. So, a BitLocker protected hard disk cannot be removed from one computer and put into another computer to be booted and accessed. We need the key that was generated by the TPM to decrypt the disk which is impossible to obtain and this way, TPM solves an age-old problem of using padlocks to secure the hard disk. This is one of the simplest use cases of TPM.


snehapra_0-1675319234143.pngFigure 1: OPTIGATM TPM

But why an additional hardware component to do this?

Typically, the host processor or controller is resistant to logical attacks but not physical attacks, so we need a discrete device like TPM that enhances the security of the host controller. For example, let us consider data encryption where you use a symmetric secret key to encrypt your data. Now, let’s say you save that key somewhere on your system. There are several micro-architectural and physical attacks that can be performed to retrieve the key stored on the system and further use it to decrypt the data.

But if we have a discrete hardware component like TPM which is resistant to Side Channel Attacks (SCA) such as Fault Injection and Power analysis attacks, gaining access to the key stored in the TPM would be impossible.

To conclude, a TPM when integrated with a system enables a trusted computing environment for the user to perform various functionalities such as secure storage of secret data and credentials, encryption, signature generation/verification, confirmation of the system software state, and so on. OPTIGA™ TPM SLB 9670VQ2.0 uses SPI interface allowing easy system integration with the host.

So, who defines what a TPM should include?

The specifications for TPM are defined by an industry consortium called the Trusted Computing Group (TCG).  All the TPM manufacturers ensure that the TPMs are designed to meet the TCG specifications and requirements. The specification also includes what Common Criteria Evaluation Assurance Level and FIPS certification TPMs should be compliant with, which basically defines the level of security TPM offers.

Hierarchies in a  TPM:

Before we dive into the use cases of TPM, let us understand what hierarchies in TPMs mean. TPM2.0 has 3 persistent hierarchies: endorsement, platform, and storage. Keys created under this hierarchy survive system reboots or persistent in other words. It also has 1 ephemeral (short-lived) hierarchy called the null hierarchy, where the keys created under the null hierarchy do not survive system reboots.


snehapra_1-1675319234148.pngFigure 2: TPM2.0 hierarchies

The cryptographic root of each hierarchy is a ‘seed’ which is nothing but a random number generated by the TPM. This seed is never exposed outside the TPM's secure boundary. So, we can always regenerate keys rather than storing them, by applying a deterministic cryptographic key-generation algorithm on these seeds such as RSA and ECC. For null hierarchy, the seed value changes between power cycles and is not persistent throughout. This would lead to different ephemeral keys every time.

We will understand some of the most common use cases of TPM in the upcoming blogs.

Links to explore further:

1 Comment