Hardware: TPM module

by in CIRT / SIRT / SOC / Blue Team, GNU Linux, Security and tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

In this article we’ll see what a TPM module is and get some details about TPM on Linux, Windows and macOS as well as what are some of the advantages in adopting Trusted Computing.

A bit of history of the TPM

TPM chips have been added to PC boards by long time, but they apparently never really got mainstream popularity because of the lack of software that made use of them. In the past few years this has started to change, mostly because OSs like Windows and Linux started to present modules that make use of such chips (like secure boot for instance). On top of that, new TPM designs got awarded by the Federal Information Processing Standards (FIPS, more info on FIPS 140-2 here and the TGC guidelines here ) and, obviously, we’ve got more media coverage on the matter.

Why do we need TPMs?

Basically it’s because PCs were not designed with security in mind and through the years Engineers understood there was a need to mitigate such original mistakes. The Engineers who started to work on solving the lack of security on PC hardware got together and founded the Trusted Computing Group (TGC), which is still working on newer and improved TPM designs. The requisites for a TPM can be found on the TGC website.

What is a TPM?

A TPM (Trusted Platform Module) is a secure crypto-processor component that allow us to improve security of the hardware through integrated cryptographic keys.

It is usually a 28 pin chip (which can be either a specialist chip or an ARM core based one) and has a certain amount of non volatile memory (the total amount depends on the model/manufacturer).

Are tpm modules interchangeable? All discrete TPMs are interchangeable, however manufacturers either embed the chip on the motherboard OR put it on a micro-pcb board and allow the connection on the motherboard via customised ports (generally either an 11 pins port or a 17 pins one) or custom PCB dimensions (so, it’s probably best if you find the right TPM expansion for your motherboard if your computer/mobo comes without it).

SoC computers like Raspberry Pi have 3rd party companies building TPM micro-boards, so you can google for one to play on your RPi (an example is this one here). Please note: From the Raspberry Pi 4, RPi supports ARM Trusted Zone. Also the Pi 3B+ has some support for ARM Trusted Zone, but the full on and accessible support for it is definitely available from the Pi 4 onwards.

In general the TPM chip is not particularly fast at processing data (on some TPM certain operations can take multiple seconds to complete), so, if you are planning to offload certain cryptographic calculations to a TPM module, think again…

Platform Configuration Registers

The main feature offered by TPM is what’s called PCRs (Platform Configuration Registers). These are used to: “provide a method to cryptographically record (measure) software state: both the software running on a platform and configuration data used by that software” (Arthur, Challener, Goldman, January 2015). In other words these registers can be used to store usable keys to verify the software that is being run on the system (for example at boot time, which is a critical section of security). However, TPM is not capable of doing this type of operations on its own, so the boot-loader, the kernel or the application has to be designed to use the TPM for such a purpose.

Modern Operating Systems like Linux or Windows can do that, and so, generally, the minimal requirement is to enable your TPM module from the BIOS options and configure the OS to use it (and on Windows this should be quite transparent to the user, while on Linux it still requires some human intervention as we have seen on my previous article).

On a side note PCRs are also used by Intel Trusted Execution Technology (aka Intel TXT and also formerly known as LaGrande Technology).

Measured Boot

When Windows/Linux or other OS use the TPM at boot time then the boot process is known to be a “Measured Boot” and it works like this: At boot time, the operating system will generate cryptographic hashes of each boot components and pass them to the TPM module. Any modifications to any of the boot components will change the values of the hashes calculated. As a consequence of that values recorded by the TPM will change. This is known as “measurement” and that’s why this type of boot process is known as “Measured Boot”.

TPM Types

There are five types of TPM implementations:

  1. Discrete TPM (also called dTPM) which is a physical chip either embedded on a computer board or on a micro-pcb to be installed on a special slot on the motherboard
  2. Integrated TPM, this type of TPM is part of another chip (same general concept as integrated GPU). Intel offers integrated TPMs in some of its chipsets
  3. Software TPM which is simply a software emulator of TPM. It runs as any other software on your system and therefore has no more protection than regular applications
  4. Virtual TPM (or vTPM) which is generally provided by an hypervisor. This type of software TPM relies on the hypervisor to run in an isolated execution environment
  5. Firmware TPM (also called fTPM, which is CPU extra micro-code that provides similar functionalities to the discrete TPM, but, in these case such functions will be executed by the CPU in the so called trusted execution environment and not by a dedicated chip). Firmware TPM is also known as Intel’s PTT (Platform Trust Technology) or ARM’s TrustZone scheme.

Please Note: do not confuse Firmware TPM with TPM Firmware (I know this sounds a little funky). The difference between the two is that the first is a firmware/software only based TPM (so the CPU will execute the TPM functions), the second is the firmware contained in a TPM physical chip, some TPM chips can be updated (but not all of them).

Least but not last some laptop vendor has started to provide “software upgrade” tools to upgrade older TPM 1.2 to TPM 2.0. I am not going to dig into this since each vendor has its own toolset, however Dell is one of the vendors offering software upgrades to upgrade from TPM 1.2 to TPM 2.0 for some laptop model like the XPS 13, so it’s worth to check out, here is Dell’s link to update TPM 1.2 and here is the Dell’s link to update TPM 2.0.

A special note for Apple Mac users: Apple has developed in recent years their custom T1 and now T2 security chip. This chip is not strictly a TPM although it does TPM functions via Integrated TPM approach. Apple’s Tn chip does a lot more than just typical TPM features like the SMC (System Management Controller) which act as a secure enclave on macOS to process and encrypt finger prints for Touch ID and keeping tabs on the microphone and FaceTime camera (so to make it much harder for hackers to reach such devices). T1/T2 chips run a separate and embedded OS (called eOS, which is a stripped down version of watchOS) and so they run completely separate from macOS. On top of these security features T2 chip started to add new features and enhancements to Mac’s computers like improving colour correction of the FaceTime camera images because of a new integration of the image signal processor. The T2 has also been integrated with the audio signal processor and the SSD Controller, so clearly it does way more than a standard TPM chip is designed to do.

TPM Standard

TPM is a standard and it’s evolving, so the original specifications were released under TPM 1.2 name and now there is TPM 2.0, they are different and here you can find all the spec details and info (it’s a lot of information and PDFs to read).

For the impatient reader: The biggest difference between TPM 1.2 and TPM 2.0 is that TPM 1.2 was designed to support SHA-1 and RSA-2048 only, while TPM 2.0 extended these capabilities to more cipher suites (actually TPM 2.0 doesn’t specify which cipher suites it has to support so you’ll need to check on your specific TPM 2.0 to see which are supported). TPM 2.0 can also host government mandated cipher suites (now don’t get conspiracy theorist here!) 🙂

TPM on common systems

With the introduction of Windows 10 Microsoft mandated to all HW vendors to implement TPM 2.0 on their computers, so all modern laptops (including gaming laptops) are being shipped with TPM 2.0 onboard (more info here).

Please note (1): If you want to know if and which type of TPM is supported on your Laptop/Desktop please refer to Vendors’ Maintenance/Service Manuals first or check your computer BIOS.

Please Note (2): At the moment of writing this article, most of low end and Gaming class laptops are being shipped with Firmware TPM, while Business class laptops are being shipped with discrete TPM.

While Windows 10 users will be ok on computers with TPM 2.0, Linux users (at least at the time of writing this article) will still have some problem. Linux is being slow at adopting TPM 2.0 specs and all Linux tools are still mostly developed around TPM 1.2, but no worries Linux will boot up fine on most modern laptops and desktops.

TPM 1.2 on Linux

So, now that you know everything about TPM and can check if your system has TPM 1.2 or TPM 2.0 (and which type of TPM chip or firmware), if you have TPM 1.2 and you want to configure your Linux to use it please click here and read my previous article about how to do that.

TPM 2.0 on Linux

If your system has TPM 2.0 then click here to check out my article on how to configure Linux to use it.

[UPDATE: 2021-06-25]

Microsoft has released the hardware requirements for their new Windows 11 and it requires mandatory (at the moment) that the machine has TPM 2.0 installed, more details here.

[/UPDATE]

What next?

  • Read about what you can do with a TPM either as a software developer or as a system administrator here.
  • Read how to configure Linux to use your TPM 1.2 and how to check if your system has got one here.
  • Read how to configure Linux to use your TPM 2.0 and how to check if your system has got one here.

References:

Arthur, Challener, Goldman: A Practical Guide to TPM 2.0 pp 151-161| for PCRs info

Microsoft info about TPM 2.0 and Windows 10, click here

Linux Foundation presentation: TCG TPM2 Software Stack & Embedded Linux, click here

Linux TPM driver source repo on github.com

Ok that’s it for now, thanks for reading and I hope you’ve found some useful information here. If you enjoyed this post, please don’t forget to support my blog by:

  • Visiting my on-line hacking and engineering merchandise shop on redbubble.com by clicking here
  • Or you can also make a donation with the PayPal link in the column on your right
  • Or share this article

If you like my articles and want to keep getting informed on new ones you can follow me on on of those 21st Century thingies called FacebookTwitterInstagram or Pinterest

And as always if you have any questions please feel free to use the comments section below.

Thank you! 🙂

6 thoughts on “Hardware: TPM module

  1. Pingback: Configure and use your TPM module on Linux | Paolo Fabio Zaino's Blog

  2. Pingback: Linux: Configure and use your TPM 2.0 module on Linux | Paolo Fabio Zaino's Blog

  3. Pingback: Linux: What can I do with a Trusted Platform Module (TPM)? | Paolo Fabio Zaino's Blog

  4. Great articles!
    But could you please either add the date for when this article was written, or at least in parenthesis here:
    «… with TPM 2.0, Linux users (at least at the time of writing this article, YYYY-MM-DD) will still have some problem.»

    Like

    Reply

Leave a Reply or Ask a Question

This site uses Akismet to reduce spam. Learn how your comment data is processed.