• About Us
    • PRODUCTS

  • Blog
  • Contact
Blog Security What is a Trusted Platform Module (TPM) and How Does a TPM Work?

DATE:

JANUARY 4 2023

AUTHOR:

Table of Contents

What Is a TPM and Why Is It Important?

Table of Contents

We often do not notice many processes while our PC is running. However, that does not mean that those processes and the elements responsible for them are not important. One of these critical pieces of computer tech is the hardware TPM, or Trusted Platform Module, a small chip that we are going to focus on in this article.

What Is a Trusted Platform Module?

A TPM or Trusted Platform Module is a chip that provides cryptographic operations for your computer security, which can be installed as a separate hardware device. The purpose of this computer chip is similar to the purpose of two-factor authentication when entering your personal account on a website. For example – once you enter your login and password on the site, it will send you a confirmation code via SMS, or perhaps you will receive a call and be asked to enter the last digits of that number. If you fail to provide the required information, you will not be able to access your account.

TPM technology works in the same way. If the computer’s motherboard is equipped with hardware based security in the form of TPM to store platform measurements, when you try to turn on such equipment, the Trusted Platform Module will check the status of the PC and compare it to normal status measurements. In the case everything is in order, the computer will continue to function as intended. However, if anything goes wrong during the startup check, for example, attackers are trying to hack the device with a brute force attack, the data will not be decrypted, the PC won’t start working, and the platform will remain secure.

How Does a TPM Work?

When you press the power button on your PC, the TPM chip checks various indicators of the computer’s status. If the indicators meet the specified security policies and store platform measurements, the computer will load the operating system and work as usual. Alternatively, if it turns out that any of the indicators do not meet the established security policies, the device will not boot and the data will not be decrypted, making it impossible to extract any information from the equipment. Common triggers for TPM are:

  • HDD or SSD has been moved to another computer
  • The equipment is started using remote access from an unknown source
  • Malicious software is detected on the PC
  • Someone is trying to guess the computer password by  a brute force attack

 

The work of the Trusted Platform Module is based on securely storing artifacts and cryptography implementation in a trusted computing group. One of the integrated cryptographic keys is stored in the TPM and another key is stored on the device’s hard drive. Without a key from the TPM header, the PC will not be able to work, since all system data cannot be used – they will be encrypted by disk encryption.

TPM Uses and Benefits

TPM is ubiquitous in equipment of many industries. Moreover, many standards and regulatory mandates, such as FIPS, etc. require organizations to use hardware security equipment to securely store artifacts which have a built-in TPM. Those requirements are directed to counter unauthorized access and guarantee that the platform remains trustworthy with hardware based security. Examples of such industries are the automotive industry and healthcare.

In healthcare, keeping personal data confidential is of the utmost importance, therefore it is vital to ensure complete data protection, including hardware security chips. 

When it comes to the automotive industry, cars are increasingly dependent on digital devices inside them. If your car’s electronic system is broken into by an intruder, a variety of problems can occur: from turning off the heated seats to destabilizing the steering. Among other things, TPM can generate encryption keys, play the role of a storage root key, detect malicious software, and secure software licenses.

How Does Windows Use TPMs and Why Are they Required?

Starting with Microsoft Windows 7, Microsoft has been actively using TPM for reliable and simple authorization. For example, Windows features that rely on TPM are:

  • Windows Hello – an authentication and identification system that uses the user’s biometric data.
  • Brute-force attack protection – detection of attempts to guess the password from the device by simply enumerating all possible password options.
  • Bitlocker hard drive encryption – an encryption system at the data storage level. If the hard drive protected by Bitlocker is lost, it will be impossible to obtain data from it.
  • Virtual smart cards – the same as physical smart cards, are used for authentication. Instead of the physical smartcard chip, its functions are performed by the TPM.
  • Measurement of the Windows configuration at boot – helps to identify critical changes in the Windows configuration or the presence of malware in the operating system.
  • System health attestation – issuing of security certificates confirming the safety of the system configuration at the moment.

How to Check Your TPM’s Status?

You can find information about whether your device is equipped with a Trusted Platform Module or not in the device’s security settings. For example, if your device has Windows 10 installed, you need:

  1. Click on the Windows button and then enter Device Security. 
  2. Select the Security processor details section.
  3. If your device has a TPM installed, you can find the processor model and type information here.

TPMs are divided into built-in and discrete (they are also called dedicated). The difference between the two is that discrete ones are faster, more secure, and support more cryptographic algorithms and features. However, ordinary users rarely need to take advantage of these more expensive benefits. Therefore, discrete processors are more often found in laptops designed specifically for commercial use, because corporate devices often store more sensitive data, and their protection is often standardized by company security policies as well as local government laws.

Why Doesn’t My TPM Show Up?

If your TPM has stopped showing up or is not working by default on a new device, this could be due to several different reasons. Some processors with a built-in TPM are configured to use discrete or external TPMs by default. In this case, you need to install the appropriate processor firmware, which provides the use of the functionality of the default built-in TPM firmware.

Another reason could be problems with the TPM drivers. If that’s the problem, you need to install the latest drivers for your TPM. You can usually find them on the security chip manufacturer’s website.

In addition, the problem may be in the UEFI settings. Many motherboards based on Intel and AMD chipsets have a built-in TPM disabled by default. You can find information about TPM in the Security section under the Trusted Computing subcategory. Check your UEFI settings and make sure that TPM has not been disabled or hidden in the operating system.

TPM 2.0 Explained

Like all hardware based security equipment, older TPM models no longer meet current safety requirements. Trusted Computing Group proposed the TPM 2.0 Library Specification, which was approved as a formal international standard under ISO/IEC. TPM 2.0 is a chip that performs the same functions as previous versions. They securely store artifacts using the Storage Root Key, which is generated by the TPM and stored in a non volatile memory, that meets modern device’s and data security requirements. 

TPM 2.0 added support for new cryptographic algorithms and optimized their execution; improved transaction performance; added new biometric authentication and personal digital signature features; and improved integrated cryptographic keysmanagement processes and store platform measurements system. For example, thanks to the new capabilities of TPM 2.0, the current version of Windows 11 performs all the processes of issuing public key certificates solely on the new generation of TPM chips. 

You can view the TPM version installed on your computer by entering the tpm.msccommand and opening the Manufacturer Information section in the pop-up window.

Different Types of TPM Implementations

TPMs differ from each other in terms of form factor as follows:

Discrete TPM – individual chips from trusted computing groups connected to motherboards with a special connector. The advantages are the low probability of a software failure during operations and the chip’s tamper resistance.

Physical-based – TPMs are integrated into the PC’s CPU, the same as discrete ones implement tamper resistance.

Firmware TPM – such modules operate in the processor’s trusted environment – they are protected in the same way as physically based ones.

Software-based – those TPMs have a higher risk of third-party attacks, software failures and bugs.

Virtual TPMs – are used to provide security in virtual environments, such as virtual machines.

TPM and Windows 11 Features

With TPM 2.0, Microsoft plans to introduce a simple and secure Windows 11 experience. For example, many have already appreciated the possibility of fingerprint or face authentication, and there will only be more examples of such innovations in the future. Moreover, TPM 2.0 functions need to be implemented because of the rise of cybercriminal attacks that affect Microsoft products quite frequently. However, some believe that using such devices in the future will limit the capabilities of their PC in the same way that secure versions of Windows 10 or some versions of MAC OS are limited today. These restrictions are unlikely to concern most users when migrating to Windows 11. 

Conclusion

The TPM is an integral part of today’s computers that provides important security features for user data. Many features in our devices work securely thanks to TPM and its role will become even more important in future Windows Security Updates. You can learn about other interesting and relevant topics related to the security of PC tech and cryptographic protection by reading the Helenix blog.

FAQ

TPM or Trusted Platform Module is a chip that is used to secure a computer through encryption and other cryptographic operations. It checks the state of the system and prevents data from being extracted from it if threats are detected.

You can find out about your TPM in Windows by entering the tpm.msc command. If you see information about TPM in the PC you have a TPM. If you see a “Compatible TPM cannot be found” message instead, your PC does not have a TPM. You can also check it in the UEFI device settings.

This can be done both by using the tpm.msc command and in the UEFI settings. In the second case, it will be possible to check if your TPM is enabled, as well as select its configuration when loading the operating system.

Windows Defender Security Center will help you to clear the TPM. Go to Device security, choose the Security processor details and click on Security processor troubleshooting. After that, select Clear TPM. You will be prompted to restart the PC. After you clear the TPM, Windows will automatically re-initialize it.