Trusted Platform Module


Trusted Platform Module is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys.

History

Trusted Platform Module was conceived by a computer industry consortium called Trusted Computing Group, and was standardized by International Organization for Standardization and International Electrotechnical Commission in 2009 as ISO/IEC 11889.
TCG continued to revise the TPM specifications. The last revised edition of TPM Main Specification Version 1.2 was published on March 3, 2011. It consisted of three parts, based on their purpose. For the second major version of TPM, however, TCG released TPM Library Specification 2.0, which builds upon the previously published TPM Main Specification. Its latest edition was released on September 29, 2016, with several errata with the latest one being dated on January 8, 2018.

Overview

Trusted Platform Module provides
Computer programs can use a TPM to authenticate hardware devices, since each TPM chip has a unique and secret Endorsement Key burned in as it is produced. Pushing the security down to the hardware level provides more protection than a software-only solution.

Uses

The United States Department of Defense specifies that "new computer assets procured to support DoD will include a TPM version 1.2 or higher where required by DISA STIGs and where such technology is available." DoD anticipates that TPM is to be used for device identification, authentication, encryption, and device integrity verification.

Platform integrity

The primary scope of TPM is to assure the integrity of a platform. In this context, "integrity" means "behave as intended", and a "platform" is any computer device regardless of its operating system. It is to ensure that the boot process starts from a trusted combination of hardware and software, and continues until the operating system has fully booted and applications are running.
The responsibility of assuring said integrity using TPM is with the firmware and the operating system. For example, Unified Extensible Firmware Interface can use TPM to form a root of trust: The TPM contains several Platform Configuration Registers that allow secure storage and reporting of security relevant metrics. These metrics can be used to detect changes to previous configurations and decide how to proceed. Good examples can be found in Linux Unified Key Setup, BitLocker and PrivateCore vCage memory encryption.
An example of TPM use for platform integrity is the Trusted Execution Technology, which creates a chain of trust. It could remotely attest that a computer is using the specified hardware and software.

Disk encryption

utilities, such as dm-crypt and BitLocker, can use this technology to protect the keys used to encrypt the computer's storage devices and provide integrity authentication for a trusted boot pathway that includes firmware and boot sector.

Password protection

Operating systems often require authentication to protect keys, data or systems. If the authentication mechanism is implemented in software only, the access is prone to dictionary attacks. Since TPM is implemented in a dedicated hardware module, a dictionary attack prevention mechanism was built in, which effectively protects against guessing or automated dictionary attacks, while still allowing the user a sufficient and reasonable number of tries. Without this level of protection, only passwords with high complexity would provide sufficient protection.

Other uses and concerns

Any application can use a TPM chip for:
Other uses exist, some of which give rise to privacy concerns. The "physical presence" feature of TPM addresses some of these concerns by requiring BIOS-level confirmation for operations such as activating, deactivating, clearing or changing ownership of TPM by someone who is physically present at the console of the machine.

TPM implementations

Starting in 2006, many new laptops have been sold with a built-in TPM chip. In the future, this concept could be co-located on an existing motherboard chip in computers, or any other device where the TPM facilities could be employed, such as a cellphone. On a PC, either the LPC bus or the SPI bus is used to connect to the TPM chip.
The Trusted Computing Group has certified TPM chips manufactured by Infineon Technologies, Nuvoton, and STMicroelectronics, having assigned TPM vendor IDs to Advanced Micro Devices, Atmel, Broadcom, IBM, Infineon, Intel, Lenovo, National Semiconductor, Nationz Technologies, Nuvoton, Qualcomm, Rockchip, Standard Microsystems Corporation, STMicroelectronics, Samsung, Sinosun, Texas Instruments, and Winbond.
There are five different types of TPM 2.0 implementations:
The official TCG reference implementation of the TPM 2.0 Specification has been developed by Microsoft. It is licensed under BSD License and the source code is available on GitHub.
Microsoft provides a Visual Studio solution and Linux autotools build scripts.
In 2018, Intel open-sourced its Trusted Platform Module 2.0 software stack with support for Linux and Microsoft Windows. The source code is hosted on GitHub and licensed under BSD License.
Infineon funded the development of an open source TPM middleware that complies with the Software Stack Enhanced System API specification of the TCG. It was developed by Fraunhofer Institute for Secure Information Technology.
IBM's Software TPM 2.0 is an implementation of the TCG TPM 2.0 specification. It is based on the TPM specification Parts 3 and 4 and source code donated by Microsoft. It contains additional files to complete the implementation. The source code is hosted on SourceForge and licensed under BSD License.

TPM 1.2 vs TPM 2.0

While TPM 2.0 addresses many of the same use cases and has similar features, the details are different. TPM 2.0 is not backward compatible to TPM 1.2.
SpecificationTPM 1.2TPM 2.0
ArchitectureThe one-size-fits-all specification consists of three parts.A complete specification consists of a platform-specific specification which references a common four-part TPM 2.0 library. Platform-specific specifications define what parts of the library are mandatory, optional, or banned for that platform; and detail other requirements for that platform. Platform-specific specifications include PC Client, mobile, and Automotive-Thin.
AlgorithmsSHA-1 and RSA are required. AES is optional. Triple DES was once an optional algorithm in earlier versions of TPM 1.2, but has been banned in TPM 1.2 version 94. The MGF1 hash-based mask generation function that is defined in PKCS#1 is required.The PC Client Platform TPM Profile Specification requires SHA-1 and SHA-256 for hashes; RSA, ECC using the Barreto-Naehrig 256-bit curve and the NIST P-256 curve for public-key cryptography and asymmetric digital signature generation and verification; HMAC for symmetric digital signature generation and verification; 128-bit AES for symmetric-key algorithm; and the MGF1 hash-based mask generation function that is defined in PKCS#1 are required by the TCG PC Client Platform TPM Profile Specification. Many other algorithms are also defined but are optional. Note that Triple DES was readded into TPM 2.0, but with restrictions some values in any 64-bit block.
Crypto PrimitivesA random number generator, a public-key cryptographic algorithm, a cryptographic hash function, a mask generation function, digital signature generation and verification, and Direct Anonymous Attestation are required. Symmetric-key algorithms and exclusive or are optional. Key generation is also required.A random number generator, public-key cryptographic algorithms, cryptographic hash functions, symmetric-key algorithms, digital signature generation and verification, mask generation functions, exclusive or, and ECC-based Direct Anonymous Attestation using the Barreto-Naehrig 256-bit curve are required by the TCG PC Client Platform TPM Profile Specification. The TPM 2.0 common library specification also requires key generation and key derivation functions.
HierarchyOne Three
Root KeysOne Multiple keys and algorithms per hierarchy
AuthorizationHMAC, PCR, locality, physical presencePassword, HMAC, and policy.
NV RAMUnstructured dataUnstructured data, Counter, Bitmap, Extend

The TPM 2.0 policy authorization includes the 1.2 HMAC, locality, physical presence, and PCR. It adds authorization based on an asymmetric digital signature, indirection to another authorization secret, counters and time limits, NVRAM values, a particular command or command parameters, and physical presence. It permits the ANDing and ORing of these authorization primitives to construct complex authorization policies.

Criticism

TCG has faced resistance to the deployment of this technology in some areas, where some authors see possible uses not specifically related to Trusted Computing, which may raise privacy concerns. The concerns include the abuse of remote validation of software and possible ways to follow actions taken by the user being recorded in a database, in a manner that is completely undetectable to the user.
The TrueCrypt disk encryption utility, as well as its derivative VeraCrypt, do not support TPM. The original TrueCrypt developers were of the opinion that the exclusive purpose of the TPM is "to protect against attacks that require the attacker to have administrator privileges, or physical access to the computer". The attacker who has physical or administrative access to a computer can circumvent TPM, e.g., by installing a hardware keystroke logger, by resetting TPM, or by capturing memory contents and retrieving TPM-issued keys. As such, the condemning text goes so far as to claim that TPM is entirely redundant. The VeraCrypt publisher has reproduced the original allegation with no changes other than replacing "TrueCrypt" with "VeraCrypt".

Attacks

In 2010, Christopher Tarnovsky presented an attack against TPMs at Black Hat Briefings, where he claimed to be able to extract secrets from a single TPM. He was able to do this after 6 months of work by inserting a probe and spying on an internal bus for the Infineon SLE 66 CL PC.
In 2015, as part of the Snowden revelations, it was revealed that in 2010 a US CIA team claimed at an internal conference to have carried out a differential power analysis attack against TPMs that was able to extract secrets.
In 2018, a design flaw in the TPM 2.0 specification for the static root of trust for measurement was reported. It allows an adversary to reset and forge platform configuration registers which are designed to securely hold measurements of software that are used for bootstrapping a computer. Fixing it requires hardware-specific firmware patches. An attacker abuses power interrupts and TPM state restores to trick TPM into thinking that it is running on non-tampered components.
Main Trusted Boot distributions before November 2017 are affected by a dynamic root of trust for measurement attack, which affects computers running on Intel's Trusted eXecution Technology for the boot-up routine.
In case of physical access, computers with TPM are vulnerable to cold boot attacks as long as the system is on or can be booted without a passphrase from shutdown or hibernation, which is the default setup for Windows computers with BitLocker full disk encryption.

2017 weak key generation controversy

In October 2017, it was reported that a code library developed by Infineon, which had been in widespread use in its TPMs, contained a vulnerability, known as ROCA, which allowed RSA private keys to be inferred from public keys. As a result, all systems depending upon the privacy of such keys were vulnerable to compromise, such as identity theft or spoofing.
Cryptosystems that store encryption keys directly in the TPM without blinding could be at particular risk to these types of attacks, as passwords and other factors would be meaningless if the attacks can extract encryption secrets.

Availability

Currently TPM is used by nearly all PC and notebook manufacturers, primarily offered on professional product lines.
TPM is implemented by several vendors:
There are also hybrid types; for example, TPM can be integrated into an Ethernet controller, thus eliminating the need for a separate motherboard component.
The Trusted Platform Module 2.0 is supported by the Linux kernel since version 3.20.