Choose the Right TPM Type for Your Use Case

Venky_Venkateswaran · ‎01-04-2022

The Root of Trust

Intel Converged Security and Management Engine (CSME) is the silicon root of trust on Intel platforms. However, given the diverse nature of the ecosystem, an open and standards based implementation was needed to foster innovation. Intel played a significant role in the introduction of the trusted platform module (TPM) and establishment of the trusted computing group (TCG) to develop, define and promote open, vendor-neutral specifications and standards for a hardware-based root-of-trust. Today, most systems include a discrete TPM hardware component to help securely store keys and measurements that verify system integrity.

Microsoft Windows has supported TPMs for more than 10 years. Critical technologies, such as Windows Hello and BitLocker rely on TPMs, which come in three implementation options, as defined by TCG:

A discrete TPM is a separate component in its own semiconductor package.
A firmware TPM runs in a Trusted Execution mode of a general-purpose computation unit or a general purpose security controller.
An integrated TPM uses dedicated circuitry, as defined by TCG, integrated into one or more semiconductor packages, logically separate from other components.

New Windows Requirements

In June 2021, a Microsoft Windows 11 minimum system requirements announcement put a spotlight on the TPM as the hardware root-of-trust on which Microsoft Windows relies. The announcement was timely, as concerns continue to mount among IT professionals and PC users about recently published attacks on discrete TPMs.

Attacks on TPMs are shifting focus from targeting TPM protection mechanisms to less-protected bus/transport interfaces.

Use Case #1: Protect your PC from discrete TPM Bus Attacks

TCG’s TPM specification offers ways to help protect these channels by encrypting the contents that flow through them. However, it’s largely up to software developers to utilize and build necessary protections for the secrets that are stored in the TPM.

In the early days, it was cost prohibitive for our OEMs to ship a discrete TPM chip on every PC. Intel’s integrated TPM option helped OEMs save on their PC bill of materials (BOM) cost.

Starting with 6th Gen Intel® Core™ processor-based business client platforms, Intel® Platform Trust Technology (Intel® PTT) fully adheres to the TPM 2.0 Specification. In addition, the Intel CSME security controller where Intel PTT resides has earned FIPS 140-2 Level 2 certification with its offload crypto subsystem circuitry and built-in secure key storage protections. The offload crypto subsystem circuitry with the Intel® Secure Key is designed to protect sensitive keys, even from the firmware running within the security engine. This is a critical feature for a sensitive application like a TPM.

Should there be an exploit, Intel CSME 15.0 and above can rapidly re-key with a feature called On-Die Certificate Authority (ODCA).

Use Case #2: Meeting Diverse Customer TPM requirements

Many customers continue to require TCG-certified TPMs as part of their purchase criteria. To support that need, Intel will continue to support customer choice to enable discrete TPMs. Intel PTT is typically turned off in the BIOS in configurations that also support a discrete TPM. Please refer to your PC OEM documentation for how to enable Intel PTT.

Learn More

Notice and Disclaimers

Performance varies by use, configuration, and other factors. Learn more at www.Intel.com/PerformanceIndex.

Intel technologies may require enabled hardware, software or service activation.

Performance results are based on testing as of dates shown in configurations and may not reflect all publicly available updates. See backup for configuration details. No product or component can be absolutely secure.

Your costs and results may vary.

© Intel Corporation. Intel, the Intel logo, and other Intel marks are trademarks of Intel Corporation or its subsidiaries. Other names and brands may be claimed as the property of others.