Trusted Platform Module: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 05:32, 4 February 2025 edit 2603:8080:9b00:4ab6:18bf:78e8:fae5:8c9d (talk) No edit summary Tags: Reverted Visual edit Mobile edit Mobile web edit ← Previous edit		Latest revision as of 18:15, 1 August 2025 edit undo Anastrophe (talk \| contribs) Extended confirmed users, Pending changes reviewers, Rollbackers 22,966 edits m Rollback edit(s) by 2003:C5:F26:1100:1146:5FA1:76A2:45FE (talk): Reverting good faith edits: This has all the earmarks of link/engagement/advert by the company in question.. (UV 0.1.6) Tags: Ultraviolet Rollback
(13 intermediate revisions by 10 users not shown)
Line 20: }} }} A '''Trusted Platform Module''' ('''TPM''') is a [[secure cryptoprocessor]] that implements the '''ISO/IEC 11889''' standard. Common uses are verifying that the [[boot process]] starts from a trusted combination of hardware and software and storing disk encryption keys. A TPM 2.0 implementation is part of the [[Windows 11]] system requirements.<ref>{{Cite web \|last=Warren \|first=Tom \|date=2021-06-25 \|title=Why Windows 11 is forcing everyone to use TPM chips \|url=https://www.theverge.com/2021/6/25/22550376/microsoft-windows-11-tpm-chips-requirement-security \|access-date=2021-11-13 \|publisher=The Verge \|language=en \|archive-date=2023-12-07 \|archive-url=https://web.archive.org/web/20231207200801/https://www.theverge.com/2021/6/25/22550376/microsoft-windows-11-tpm-chips-requirement-security \|url-status=live }}</ref> == History == The first TPM version that was deployed was 1.1b in 2003.<ref>{{Citation \|~~last~~last1=Arthur \|~~first~~first1=Will \|title=History of the TPM \|date=2015 \|work=A Practical Guide to TPM 2.0: Using the New Trusted Platform Module in the New Age of Security \|pages=1–5 \|editor-last=Arthur \|editor-first=Will ~~\|url=https://link.springer.com/chapter/10.1007/978-1-4302-6584-9_1 \|access-date=2025-01-03~~ \|place=Berkeley, CA \|publisher=Apress \|language=en \|doi=10.1007/978-1-4302-6584-9_1 \|isbn=978-1-4302-6584-9 \|last2=Challener \|first2=David \|last3=Goldman \|first3=Kenneth \|editor2-last=Challener \|editor2-first=David \|editor3-last=Goldman \|editor3-first=Kenneth\|doi-access=free }}</ref> Trusted Platform Module (TPM) was conceived by a [[computer industry]] consortium called [[Trusted Computing Group]] (TCG). It evolved into ''TPM Main Specification Version 1.2'' which was standardized by [[International Organization for Standardization]] (ISO) and [[International Electrotechnical Commission]] (IEC) in 2009 as ISO/IEC 11889:2009.<ref>{{cite web \|url=http://www.iso.org/iso/catalogue_detail.htm?csnumber=50970 \|title=ISO/IEC 11889-1:2009 – Information technology – Trusted Platform Module – Part 1: Overview \|website=ISO.org \|publisher=[[International Organization for Standardization]] \|date=May 2009 \|access-date=November 30, 2013 \|archive-date=January 28, 2017 \|archive-url=https://web.archive.org/web/20170128033043/http://www.iso.org/iso/catalogue_detail.htm?csnumber=50970 \|url-status=live }}</ref> ''TPM Main Specification Version 1.2'' was finalized on 3 March 2011 completing its revision.<ref>{{Cite web\|title=TPM 1.2 Main Specification\|url=https://trustedcomputinggroup.org/resource/tpm-main-specification/\|access-date=2021-11-08\|website=Trusted Computing Group\|language=en-US\|archive-date=2024-06-11\|archive-url=https://web.archive.org/web/20240611121337/https://trustedcomputinggroup.org/resource/tpm-main-specification/\|url-status=live}}</ref><ref name="TPM_Main_Specs">{{Cite web \| url = https://www.trustedcomputinggroup.org/tpm-main-specification/ \| title = Trusted Platform Module (TPM) Specifications \| publisher = [[Trusted Computing Group]] \| date = March 1, 2011 \| access-date = October 30, 2016 \| archive-date = October 22, 2017 \| archive-url = https://web.archive.org/web/20171022063836/https://trustedcomputinggroup.org/tpm-main-specification/ \| url-status = live }}</ref> On 9 April 9, 2014, the [[Trusted Computing Group]] announced a major upgrade to their specification entitled ''TPM Library Specification 2.0''.<ref>{{Cite web \|date=2014-04-01 \|title=Trusted Computing Group Releases TPM 2.0 Specification for Improved Platform and Device Security \|url=https://trustedcomputinggroup.org/trusted-computing-group-releases-tpm-2-0-specification-improved-platform-device-security/ \|access-date=2021-11-08 \|publisher=Trusted Computing Group \|language=en-US \|archive-date=2025-03-06 \|archive-url=https://web.archive.org/web/20250306010354/https://trustedcomputinggroup.org/trusted-computing-group-releases-tpm-2-0-specification-improved-platform-device-security/ \|url-status=live }}</ref> The group continues work on the standard incorporating errata, algorithmic additions and new commands, with its most recent edition published as 2.0 in November 2019.<ref name="TPM_Library_Specs">{{cite web \|url=https://www.trustedcomputinggroup.org/tpm-library-specification/ \|title=TPM Library Specification 2.0 \|publisher=Trusted Computing Group \|access-date=October 30, 2016 \|archive-date=29 October 2016 \|archive-url=https://web.archive.org/web/20161029235918/https://www.trustedcomputinggroup.org/tpm-library-specification/ \|url-status=live }}</ref> This version became ISO/IEC 11889:2015. When a new revision is released it is divided into multiple parts by the Trusted Computing Group. Each part consists of a document that makes up the whole of the new TPM specification. Line 39: === Version differences === While TPM 2.0 addresses many of the same use cases and has similar features, the details are different. TPM 2.0 is not backward compatible with TPM 1.2.<ref>{{Citation \|title=Trusted Platform Module Library \|date=October 30, 2014 \|access-date=October 27, 2016 \|archive-url=https://web.archive.org/web/20161028083957/https://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.16.pdf \|archive-date=October 28, 2016 \|url-status=live \|chapter=Part 1: Architecture \|chapter-url=https://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.16.pdf \|publisher=Trusted Computing Group}}</ref><ref>{{Cite web \|title=TPM 1.2 vs. 2.0 Features ~~\|~~{{pipe}} Dell US \|url=https://www.dell.com/support/article/en-us/sln312590/tpm-1-2-vs-2-0-features?lang=en}}</ref><ref>{{Cite web \|title=TPM 1.2, 2.0 and FTPM (Firmware-based TPM) Information \|url=http://aps2.toshiba-tro.de/kb0/TSB8B03XO0000R01.htm \|url-status=live \|archive-url=https://web.archive.org/web/20200206234241/http://aps2.toshiba-tro.de/kb0/TSB8B03XO0000R01.htm \|archive-date=February 6, 2020 \|access-date=August 31, 2020}}</ref> {\| class="wikitable" \|- ! Specification ~~!! TPM 1.2 !! TPM 2.0~~ ! width="45%" \| TPM 1.2 ! width="55%" \| TPM 2.0 \|- \| Architecture \| A complete specification is intended to consist of a platform-specific protection profile which references a common three part TPM 1.2 library.<ref name="TPM_Main_Specs" /> In practice, only a PC Client protection profile was created for TPM 1.2. Protection profiles for [[Personal digital assistant\|PDA]] and [[Mobile phone\|cellular]] were intended to be defined,<ref name="TPM_Main_Specs" /> but were never published. \| A complete specification consists of a platform-specific specification which references a common four-part TPM 2.0 library.<ref name="TPM2.0Book">{{Cite book \|last1=Arthur \|first1=Will \|title=A Practical Guide to TPM 2.0: Using the New Trusted Platform Module in the New Age of Security \|last2=Challener \|first2=David \|last3=Goldman \|first3=Kenneth \|date=2015 \|publisher=[[Apress]] Media, LLC \|isbn=978-1430265832 \|___location=[[New York City]] \|page=69 \|doi=10.1007/978-1-4302-6584-9 \|s2cid=27168869}}</ref><ref name="TPM_Library_Specs" /> Platform-specific specifications define what parts of the library are mandatory, optional, or banned for that platform; and detail other requirements for that platform.<ref name="TPM2.0Book" /> Platform-specific specifications include PC Client,<ref>{{cite web \|title=PC Client Protection Profile for TPM 2.0 – Trusted Computing Group \|url=https://www.trustedcomputinggroup.org/pc-client-protection-profile-tpm-2-0/ \|url-status=live \|archive-url=https://web.archive.org/web/20161031085440/https://www.trustedcomputinggroup.org/pc-client-protection-profile-tpm-2-0/ \|archive-date=October 31, 2016 \|access-date=October 30, 2016 \|website=trustedcomputinggroup.org}}</ref> mobile,<ref>{{cite web \|title=TPM 2.0 Mobile Reference Architecture Specification – Trusted Computing Group \|url=https://www.trustedcomputinggroup.org/tpm-2-0-mobile-reference-architecture-specification/ \|url-status=live \|archive-url=https://web.archive.org/web/20161101103322/https://www.trustedcomputinggroup.org/tpm-2-0-mobile-reference-architecture-specification/ \|archive-date=November 1, 2016 \|access-date=October 31, 2016 \|publisher=trustedcomputinggroup.org}}</ref> and Automotive-Thin.<ref>{{cite web \|date=1 March 2015 \|title=TCG TPM 2.0 Library Profile for Automotive-Thin \|url=https://trustedcomputinggroup.org/tcg-tpm-2-0-library-profile-automotive-thin/ \|url-status=live \|archive-url=https://web.archive.org/web/20170426062330/https://trustedcomputinggroup.org/tcg-tpm-2-0-library-profile-automotive-thin/ \|archive-date=April 26, 2017 \|access-date=April 25, 2017 \|website=trustedcomputinggroup.org}}</ref> Line 51 ⟶ 53: \| Algorithms \| [[SHA-1]] and [[RSA (algorithm)\|RSA]] are required.<ref name="TPM1.2Rev116Part2">{{Cite web \|title=Archived copy \|url=http://trustedcomputinggroup.org/wp-content/uploads/TPM-Main-Part-2-TPM-Structures_v1.2_rev116_01032011.pdf \|url-status=live \|archive-url=https://web.archive.org/web/20161030140755/http://trustedcomputinggroup.org/wp-content/uploads/TPM-Main-Part-2-TPM-Structures_v1.2_rev116_01032011.pdf \|archive-date=October 30, 2016 \|access-date=October 29, 2016}}</ref> [[Advanced Encryption Standard\|AES]] is optional.<ref name="TPM1.2Rev116Part2" /> [[Triple DES]] was once an optional algorithm in earlier versions of TPM 1.2,<ref>{{Cite web \|title=Archived copy \|url=http://trustedcomputinggroup.org/wp-content/uploads/mainP2Struct_rev85.pdf \|url-status=live \|archive-url=https://web.archive.org/web/20161030080258/http://trustedcomputinggroup.org/wp-content/uploads/mainP2Struct_rev85.pdf \|archive-date=October 30, 2016 \|access-date=October 29, 2016}}</ref> but has been removed from TPM 1.2 version 103.<ref>{{Cite web \|date=July 9, 2007 \|title=TPM Main Specification Level 2 Version 1.2, Revision 103: Part 1 Design Principles \|url=https://trustedcomputinggroup.org/wp-content/uploads/mainP1DPrev103.pdf \|access-date=February 16, 2024}}</ref> The MGF1 hash-based mask generation function that is defined in [[PKCS 1\|PKCS#1]] is required.<ref name="TPM1.2Rev116Part2" /> \| The PC Client Platform TPM Profile (PTP) Specification requires [[SHA-1]] and [[SHA-256]] for hashes; [[RSA (algorithm)\|RSA]], [[Elliptic curve cryptography\|ECC]] using the [[National Institute of Standards and Technology\|NIST]] P-256 curve for [[public-key cryptography]] and asymmetric [[digital signature]] generation and verification; [[HMAC]] for symmetric digital signature generation and verification; 128-bit [[Advanced Encryption Standard\|AES]] for [[symmetric-key algorithm]]; and the MGF1 hash-based mask generation function that is defined in [[PKCS 1\|PKCS#1]] are required by the TCG PC Client Platform TPM Profile (PTP) Specification.<ref name="PCClient">{{Cite web \|date=September 29, 2021 \|title=TCG Protection Profile for PC Client Specific TPM 2.0 Library Revision 1.59; Version 1.3 \|url=https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PP_1p3_for_Library_1p59_pub_29sept2021.pdf \|access-date=February 16, 2024 \|archive-date=March 6, 2025 \|archive-url=https://web.archive.org/web/20250306143206/https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PP_1p3_for_Library_1p59_pub_29sept2021.pdf \|url-status=live }}</ref> Many other algorithms are also defined but are optional.<ref>{{Cite web \|title=Archived copy \|url=https://www.trustedcomputinggroup.org/wp-content/uploads/TCG_Algorithm_Registry_Rev_1.22.pdf \|url-status=live \|archive-url=https://web.archive.org/web/20161031085411/https://www.trustedcomputinggroup.org/wp-content/uploads/TCG_Algorithm_Registry_Rev_1.22.pdf \|archive-date=October 31, 2016 \|access-date=October 30, 2016}}</ref> Note that [[Triple DES]] was added into the TPM 2.0 library, but with restrictions to reject [[weak key]]s.<ref>{{Cite web \|title=Archived copy \|url=https://trustedcomputinggroup.org/wp-content/uploads/TCG-_Algorithm_Registry_Rev_1.27_FinalPublication.pdf \|url-status=live \|archive-url=https://web.archive.org/web/20190123223556/https://trustedcomputinggroup.org/wp-content/uploads/TCG-_Algorithm_Registry_Rev_1.27_FinalPublication.pdf \|archive-date=January 23, 2019 \|access-date=January 23, 2019}}</ref> Also, elliptic cryptography [[Direct Anonymous Attestation]] (ECDAA) using Barreto-Naehrig ECC curves which was mandatory in earlier versions has been made optional in the PC Client profile version 1.59.<ref name="PCClient" /> \|- \| Crypto Primitives Line 82 ⟶ 84: * Facilities for the secure generation of [[cryptographic keys]] for limited uses. * [[Remote attestation]]: Creates a nearly unforgeable [[Cryptographic hash function\|hash key]] summary of the hardware and software configuration. One could use the hash to verify that the hardware and software have not been changed. The software in charge of hashing the setup determines the extent of the summary. * [[Late binding\|Binding]]: Data is encrypted using the TPM bind key, a unique [[RSA (algorithm)\|RSA]] key descended from a storage key. Computers that incorporate a TPM can create cryptographic keys and encrypt them so that they can only be decrypted by the TPM. This process, often called wrapping or binding a key, can help protect the key from disclosure. Each TPM has a master wrapping key, called the storage root key, which is stored within the TPM itself. User-level RSA key containers are stored with the Windows user profile for a particular user and can be used to encrypt and decrypt information for applications that run under that specific user identity.<ref>{{cite web \| url=https://docs.microsoft.com/en-us/previous-versions/aspnet/f5cs0acs(v=vs.100) \| title=Understanding Machine-Level and User-Level RSA Key Containers \| date=October 22, 2014 \| access-date=June 2, 2022 \| archive-date=June 2, 2022 \| archive-url=https://web.archive.org/web/20220602134828/https://docs.microsoft.com/en-us/previous-versions/aspnet/f5cs0acs(v=vs.100) \| url-status=live }}</ref><ref>{{cite web\|url=http://linux.die.net/man/3/tspi_data_bind\|title=tspi_data_bind(3) – Encrypts data blob\|format=Posix manual page\|publisher=Trusted Computing Group\|access-date=October 27, 2009\|archive-date=November 29, 2013\|archive-url=https://web.archive.org/web/20131129101856/http://linux.die.net/man/3/tspi_data_bind \| url-status=live}}</ref> * [[Sealed storage]]: Specifies the TPM state<ref>{{Citation \| url = https://trustedcomputinggroup.org/wp-content/uploads/TCG_TPM2_r1p59_Part1_Architecture_pub.pdf \| title = Trusted Platform Module Library Specification, Family "2.0" \| edition = Level 00, Revision 01.59 \| volume = Part 1 – Architecture, Section 12, TPM Operational States \| publisher = Trusted Computing Group \| access-date = January 17, 2021 \| archive-date = January 9, 2021 \| archive-url = https://web.archive.org/web/20210109164407/https://trustedcomputinggroup.org/wp-content/uploads/TCG_TPM2_r1p59_Part1_Architecture_pub.pdf \| url-status = live }}</ref> for the data to be decrypted (unsealed).<ref>{{Citation \| url = http://www.trustedcomputinggroup.org/files/static_page_files/72C33D71-1A4B-B294-D02C7DF86630BE7C/TPM%20Main-Part%203%20Commands_v1.2_rev116_01032011.pdf \| title = TPM Main Specification Level 2 \| edition = Version 1.2, Revision 116 \| volume = Part 3 – Commands \| publisher = Trusted Computing Group \| access-date = June 22, 2011 \| archive-date = September 28, 2011 \| archive-url = https://web.archive.org/web/20110928031628/http://www.trustedcomputinggroup.org/files/static_page_files/72C33D71-1A4B-B294-D02C7DF86630BE7C/TPM%20Main-Part%203%20Commands_v1.2_rev116_01032011.pdf \| url-status = live }}</ref> * Other [[Trusted Computing]] functions for the data to be decrypted (unsealed).<ref>{{Citation\| url = https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc749022(v=ws.10)?redirectedfrom=MSDN\| title = Microsoft Article on TPM\| date = July 25, 2008\| access-date = April 1, 2021\| archive-date = January 2, 2021\| archive-url = https://web.archive.org/web/20210102105127/https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc749022(v=ws.10)?redirectedfrom=MSDN\| url-status = live}}</ref> Line 114 ⟶ 116: === TPM 2.0 === There are five different types of TPM 2.0 implementations (listed in order from most to least secure):<ref name="TPMRecs">{{Cite web \|url=https://docs.microsoft.com/en-us/windows/device-security/tpm/tpm-recommendations \|title=TPM Recommendations \|last1=Lich \|first1=Brian \|last2=Browers \|first2=Nick \|date=27 October 2017 \|website=Microsoft Docs \|publisher=[[Microsoft]] \|last3=Hall \|first3=Justin \|last4=McIlhargey \|first4=Bill \|last5=Farag \|first5=Hany \|access-date=10 January 2018 \|archive-date=11 January 2018 \|archive-url=https://web.archive.org/web/20180111052704/https://docs.microsoft.com/en-us/windows/device-security/tpm/tpm-recommendations \|url-status=live }}</ref><ref name="TPMBrief">{{Cite web\|url=https://www.trustedcomputinggroup.org/wp-content/uploads/TPM-2.0-A-Brief-Introduction.pdf\|title=Trusted Platform Module 2.0: A Brief Introduction \|date=October 13, 2016 \| publisher=Trusted Computing Group \|access-date=March 31, 2018\|archive-date=February 3, 2019 \| archive-url=https://web.archive.org/web/20190203202259/https://www.trustedcomputinggroup.org/wp-content/uploads/TPM-2.0-A-Brief-Introduction.pdf \|url-status=live}}</ref> * Discrete TPMs are dedicated chips that implement TPM functionality in their own tamper resistant semiconductor package. They are the most secure, certified to FIPS-140 with level 3 physical security<ref>{{cite web \|url=https://trustedcomputinggroup.org/membership/certification/tpm-certified-products \|title=TPM Certified Products \|access-date=2022-09-06 \|archive-date=2025-03-06 \|archive-url=https://web.archive.org/web/20250306213123/https://trustedcomputinggroup.org/membership/certification/tpm-certified-products/ \|url-status=live }}</ref> resistance to attack versus routines implemented in software, and their packages are required to implement some tamper resistance. For example, the TPM for the brake controller in a car is protected from hacking by sophisticated methods.<ref>{{cite web \|url=https://trustedcomputinggroup.org/wp-content/uploads/TPM-2.0-A-Brief-Introduction.pdf \|access-date=2023-08-20 \|title=Trusted Platform Module (TPM) - 2.0: A BRIEF INTRODUCTION \|archive-date=2025-03-06 \|archive-url=https://web.archive.org/web/20250306003832/https://trustedcomputinggroup.org/wp-content/uploads/TPM-2.0-A-Brief-Introduction.pdf \|url-status=live }}</ref> * Integrated TPMs are part of another chip. While they use hardware that resists software bugs, they are not required to implement tamper resistance. [[Intel]] has integrated TPMs in some of its [[chipset]]s. * Firmware TPMs (fTPMs) are firmware-based (e.g. [[UEFI]]) solutions that run in a CPU's [[trusted execution environment]]. Intel, AMD and Qualcomm have implemented firmware TPMs. * Virtual TPMs (vTPMs) are provided by and rely on [[hypervisor]]s in isolated execution environments that are hidden from the software running inside [[virtual machines]] to secure their code from the software in the virtual machines. They can provide a security level comparable to a firmware TPM. [[Google Cloud Platform]] has implemented vTPM.<ref>[{{Cite web \|url=https://cloud.google.com/security/shielded-cloud/shielded-vm#vtpm \|title=GCE Shielded VM - Virtual Trusted Platform Module (vTPM)] \|access-date=2021-12-01 \|archive-date=2021-12-01 \|archive-url=https://web.archive.org/web/20211201083434/https://cloud.google.com/security/shielded-cloud/shielded-vm#vtpm \|url-status=live }}</ref> * Software TPMs are software emulators of TPMs that run with no more protection than a regular program gets within an operating system. They depend entirely on the environment that they run in, so they provide no more security than what can be provided by the normal execution environment. They are useful for development purposes. Line 146 ⟶ 148: [[IBM]]'s Software TPM 2.0 is an implementation of the TCG TPM 2.0 specification. It is based on the TPM specification Parts 3 and 4 and source code donated by Microsoft. It contains additional files to complete the implementation. The source code is hosted on [[SourceForge]]<ref>{{Cite web \|url=https://sourceforge.net/projects/ibmswtpm2/ \|title=IBM's Software TPM 2.0 download {{!}} SourceForge.net \|access-date=April 5, 2020 \|archive-date=June 12, 2019 \|archive-url=https://web.archive.org/web/20190612221519/https://sourceforge.net/projects/ibmswtpm2/ \|url-status=live }}</ref> and [[GitHub]]<ref>{{Cite web \|url=https://github.com/kgoldman/ibmswtpm2/ \|title=IBM SW TPM 2.0 \|website=[[GitHub]] \|access-date=June 2, 2021 \|archive-date=September 18, 2020 \|archive-url=https://web.archive.org/web/20200918030405/https://github.com/kgoldman/ibmswtpm2 \|url-status=live }}</ref> and licensed under BSD License. In 2022, [[Advanced Micro Devices\|AMD]] announced that under certain circumstances their fTPM implementation causes performance problems. A fix is available in form of a [[BIOS]]-Update.<ref>{{Cite web \|date=2022-03-08 \|title=Intermittent System Stutter Experienced with fTPM Enabled on Windows 10 and 11 \|url=https://www.amd.com/en/support/kb/faq/pa-410 \|access-date=2022-07-02 \|publisher=AMD \|archive-date=2024-03-25 \|archive-url=https://web.archive.org/web/20240325023648/https://www.amd.com/en/support/kb/faq/pa-410 \|url-status=live }}</ref><ref>{{Cite web \|author1=Paul Alcorn \|date=2022-03-07 \|title=AMD Issues Fix and Workaround for Ryzen's fTPM Stuttering Issues \|url=https://www.tomshardware.com/news/amd-issues-fix-and-workaround-for-ftpm-stuttering-issues \|access-date=2022-07-02 \|website=Tom's Hardware \|language=en}}</ref> == Reception == The [[Trusted Computing Group]] (TCG) has faced resistance to the deployment of this technology in some areas, where some authors see possible uses not specifically related to [[Trusted Computing]], which may raise privacy concerns. The concerns include the abuse of remote validation of software decides what software is allowed to run and possible ways to follow actions taken by the user being recorded in a database, in a manner that is completely undetectable to the user.<ref>{{cite web \| first = Richard Matthew \| last = Stallman \| url = https://www.gnu.org/philosophy/can-you-trust.html \| title = Project GNU \| publisher = Free Software Foundation \| access-date = 21 July 2016 \| archive-date = 29 June 2011 \| archive-url = https://web.archive.org/web/20110629082333/http://www.gnu.org/philosophy/can-you-trust.html \| url-status = live }}</ref> The [[TrueCrypt]] disk encryption utility, as well as its derivative [[VeraCrypt]], do not support TPM. The original TrueCrypt developers were of the opinion that the exclusive purpose of the TPM is "to protect against attacks that require the attacker to have administrator privileges, or physical access to the computer". The attacker who has physical or administrative access to a computer can circumvent TPM, e.g., by installing a hardware [[keystroke logger]], by resetting TPM, or by capturing memory contents and retrieving TPM-issued keys. The condemning text goes so far as to claim that TPM is entirely redundant.<ref>{{Cite web \|title=TrueCrypt User Guide \|url=https://www.grc.com/misc/truecrypt/TrueCrypt%20User%20Guide.pdf \|website=truecrypt.org \|publisher=TrueCrypt Foundation \|via=grc.com \|date=7 February 2012 \|page=129 \|access-date=20 February 2018 \|archive-date=25 December 2019 \|archive-url=https://web.archive.org/web/20191225153826/https://www.grc.com/misc/truecrypt/TrueCrypt%20User%20Guide.pdf \|url-status=live }}</ref> The VeraCrypt publisher has reproduced the original allegation with no changes other than replacing "TrueCrypt" with "VeraCrypt".<ref>{{cite web \| url=https://www.veracrypt.fr/en/FAQ.html \|~~title~~ title=FAQ \| website=veracrypt.fr \| publisher=IDRIX \| date=2 July 2017 \| access-date=11 January 2018 \| archive-date=25 February 2025 \| archive-url=https://web.archive.org/web/20250225120315/https://veracrypt.fr/en/FAQ.html \| url-status=live }}</ref> The author is right that, after achieving either unrestricted physical access or administrative privileges, it is only a matter of time before other security measures in place are bypassed.<ref>{{Cite web \|last=Culp \|first=Scott \|date=2000 \|title=Ten Immutable Laws Of Security (Version 2.0) \|url=https://technet.microsoft.com/en-us/library/hh278941.aspx \|url-status=dead \|archive-url=https://web.archive.org/web/20151209191417/https://technet.microsoft.com/en-us/library/hh278941.aspx \|archive-date=9 December 2015 \|access-date= \|website=[[TechNet Magazine]] \|publisher=[[Microsoft]] \|via=[[Microsoft TechNet]]}}</ref><ref>{{Cite web \|last=Johansson \|first=Jesper M. \|date=October 2008 \|title=Security Watch Revisiting the 10 Immutable Laws of Security, Part 1 \|url=https://technet.microsoft.com/en-us/library/2008.10.securitywatch.aspx \|url-status=dead \|archive-url=https://web.archive.org/web/20170410043155/https://technet.microsoft.com/en-us/library/2008.10.securitywatch.aspx \|archive-date=10 April 2017 \|access-date= \|website=[[TechNet Magazine]] \|publisher=[[Microsoft]] \|via=[[Microsoft TechNet]]}}</ref> However, stopping an attacker in possession of administrative privileges has never been one of the goals of TPM (see {{Section link\|\|Uses}} for details), and TPM can [[cold boot attack\|stop some physical tampering]].<ref name=":0" /><ref name=":1" /><ref name=":2">{{cite book \|title=Autonomic and Trusted Computing: 4th International Conference \|publisher=ATC \|year=2007 \|isbn=9783540735465}}</ref><ref name="TCPA">{{cite book \|last1=Pearson \|first1=Siani \|title=Trusted computing platforms: TCPA technology in context \|last2=Balacheff \|first2=Boris \|publisher=Prentice Hall \|year=2002 \|isbn=9780130092205}}</ref><ref name="SetPhysicalPresenceRequest">{{cite web \|title=SetPhysicalPresenceRequest Method of the Win32_Tpm Class \|url=http://msdn.microsoft.com/en-us/library/aa376478(VS.85).aspx \|url-status=live \|archive-url=https://web.archive.org/web/20090519204808/http://msdn.microsoft.com/en-us/library/aa376478(VS.85).aspx \|archive-date=May 19, 2009 \|access-date=June 12, 2009 \|publisher=[[Microsoft]]}}</ref> In 2015 [[Richard Stallman]] suggested to replace the term "Trusted computing" with the term "Treacherous computing" due to the danger that the computer can be made to systematically disobey its owner if the cryptographical keys are kept secret from them. He also considers that TPMs available for PCs in 2015 are not currently{{clarify timeframe\|date=December 2022}} dangerous and that there is no reason '''not''' to include one in a computer or support it in software due to failed attempts from the industry to use that technology for [[Digital rights management\|DRM]], but that the TPM2 released in 2022 is precisely the "[[Trusted Computing\|treacherous computing]]" threat he had warned of.<ref>{{Cite web\|title=Can You Trust Your Computer? - GNU Project - Free Software Foundation\|url=https://www.gnu.org/philosophy/can-you-trust.en.html\|access-date=2023-09-06\|website=www.gnu.org\|archive-date=2025-02-26\|archive-url=https://web.archive.org/web/20250226214859/https://www.gnu.org/philosophy/can-you-trust.en.html\|url-status=live}}</ref> In August 2023, [[Linus Torvalds]], who was frustrated with AMD fTPM's stuttering bugs opined, "Let's just disable the stupid fTPM <code>hwrnd</code> thing." He said the CPU-based random number generation, <code>[[RDRAND\|rdrand]]</code> was equally suitable, despite having its share of bugs. Writing for ''[[Neowin]]'', Sayan Sen quoted Torvalds' bitter comments and called him "a man with a strong opinion.".<ref>{{Cite news \|last=Sen \|first=Sayan \|date=2024-10-23 \|title=Linus Torvalds seems frustrated with AMD Ryzen fTPM bugs and issues, suggests disabling \|url=https://www.neowin.net/news/linus-torvalds-seems-frustrated-with-amd-ryzen-ftpm-bugs-and-issues-suggests-disabling/ \|access-date=2024-10-23 \|work=Neowin}}</ref> == Security issues == Line 189 ⟶ 191: * [[Infineon]] provides both TPM chips and TPM software, which are delivered as [[Original equipment manufacturer\|OEM]] versions with new computers as well as separately by Infineon for products with TPM technology which comply with TCG standards. For example, Infineon licensed TPM management software to Broadcom Corp. in 2004.<ref>{{cite web\|url=https://www.heise.de/newsticker/meldung/Trusted-Platform-Module-TPM-im-LAN-Adapter-143777.html\|title=Trusted Platform Module (TPM) im LAN-Adapter\|date=March 12, 2005 \|publisher=Heise Online\|access-date=January 7, 2019\|archive-date=January 7, 2019\|archive-url=https://web.archive.org/web/20190107232935/https://www.heise.de/newsticker/meldung/Trusted-Platform-Module-TPM-im-LAN-Adapter-143777.html\|url-status=live}}</ref> * [[Microchip Technology\|Microchip]] (formerly Atmel) manufactured TPM devices that it claims to be compliant to the Trusted Platform Module specification version 1.2 revision 116 and offered with several interfaces (LPC, SPI, and ~~I2C~~I<sup>2</sup>C), modes (FIPS 140-2 certified and standard mode), temperature grades (commercial and industrial), and packages (TSSOP and QFN).<ref name="AtmelTPMFrontPage">{{cite web\|url=http://www.atmel.com/products/security-ics/embedded/\|title=Home – Microchip Technology\|website=www.atmel.com\|access-date=October 4, 2016\|archive-date=October 5, 2016\|archive-url=https://web.archive.org/web/20161005162507/http://www.atmel.com/products/security-ics/embedded/\|url-status=dead}}</ref><ref>{{cite web\|url=http://www.atmel.com/Images/Atmel-8965-TPM-Part-No-Selection-Guide-ApplicationNote.pdf\|title=AN_8965 TPM Part Number Selection Guide – Application Notes – Microchip Technology Inc.\|website=www.atmel.com\|access-date=October 4, 2016\|archive-date=October 5, 2016\|archive-url=https://web.archive.org/web/20161005171009/http://www.atmel.com/Images/Atmel-8965-TPM-Part-No-Selection-Guide-ApplicationNote.pdf\|url-status=dead}}</ref><ref>{{cite web \|url=https://www.microchip.com/en-us/products/security/security-ics/tpm \|title="Trusted Platform Module" \|author=<!--Not stated--> \|date= \|website= \|publisher=Microchip Technology \|access-date=2024-02-14 \|quote= \|archive-date=2025-02-14 \|archive-url=https://web.archive.org/web/20250214203949/https://www.microchip.com/en-us/products/security/security-ics/tpm \|url-status=live }}</ref> Its TPMs support PCs and embedded devices.<ref name="AtmelTPMFrontPage"/> It also provides TPM development kits to support integration of its TPM devices into various embedded designs.<ref>{{cite web\|url=http://www.atmel.com/products/security-ics/embedded/?tab=tools\|title=Home – Microchip Technology\|website=www.atmel.com\|access-date=October 4, 2016\|archive-date=October 5, 2016\|archive-url=https://web.archive.org/web/20161005165740/http://www.atmel.com/products/security-ics/embedded/?tab=tools\|url-status=dead}}</ref> * [[Nuvoton]] Technology Corporation provides TPM devices for PC applications. Nuvoton also provides TPM devices for embedded systems and Internet of Things (IoT) applications via ~~I2C~~I<sup>2</sup>C and SPI host interfaces. Nuvoton's TPM complies with [[Common Criteria]] (CC) with assurance level EAL 4 augmented with ALC_FLR.1, AVA_VAN.4 and ALC_DVS.2, [[FIPS 140-2]] level 2 with Physical Security and EMI/EMC level 3 and [[Trusted Computing Group]] Compliance requirements, all supported within a single device. TPMs produced by [[Winbond]] are now part of Nuvoton.<ref>{{cite web \| url = https://www.nuvoton.com/products/cloud-computing/security/trusted-platform-module-tpm \| title = Nuvoton TPM \| access-date = 2021-06-29 \| archive-date = 2025-03-06 \| archive-url = https://web.archive.org/web/20250306103946/https://www.nuvoton.com/products/cloud-computing/security/trusted-platform-module-tpm \| url-status = live }}</ref> * [[STMicroelectronics]] has provided TPMs for PC platforms and embedded systems since 2005. The product offering <ref>{{cite web \| url = https://www.st.com/content/ccc/resource/sales_and_marketing/promotional_material/flyer/group0/62/f7/89/67/99/9a/40/45/STSAFE_TPM_Flyer/files/STSAFE-TPM-Flyer.pdf/jcr:content/translations/en.STSAFE-TPM-Flyer.pdf \| title = STSAFE-TPM \| access-date = 2021-07-06 \| archive-date = 2025-03-06 \| archive-url = https://web.archive.org/web/20250306103016/https://www.st.com/content/ccc/resource/sales_and_marketing/promotional_material/flyer/group0/62/f7/89/67/99/9a/40/45/STSAFE_TPM_Flyer/files/STSAFE-TPM-Flyer.pdf/jcr:content/translations/en.STSAFE-TPM-Flyer.pdf \| url-status = live }}</ref> includes discrete devices with several interfaces supporting [[Serial Peripheral Interface]] (SPI) and [[I2C\|I²<sup>2</sup>C]] and different qualification grades (consumer, industrial and automotive). The TPM products are [[Common Criteria]] (CC) certified EAL4+ augmented with ALC_FLR.1 and AVA_VAN.5, [[FIPS 140-2]] level 2 certified with physical security level 3 and also [[Trusted Computing Group]] (TCG) certified. There are also hybrid types; for example, TPM can be integrated into an [[Ethernet]] controller, thus eliminating the need for a separate motherboard component.<ref>{{cite web \| url = https://www.trustedcomputinggroup.org/files/temp/4B551C9F-1D09-3519-AD45C1F0B5D61714/TPM%20Overview.pdf \| title = Replacing Vulnerable Software with Secure Hardware: The Trusted Platform Module (TPM) and How to Use It in the Enterprise \| year = 2008 \| access-date = June 7, 2014 \| publisher = Trusted computing group \| archive-date = July 14, 2014 \| archive-url = https://web.archive.org/web/20140714233816/https://www.trustedcomputinggroup.org/files/temp/4B551C9F-1D09-3519-AD45C1F0B5D61714/TPM%20Overview.pdf \| url-status = live }}</ref><ref>{{cite web \| url = http://www.broadcom.com/products/Ethernet-Controllers-and-Adapters/Enterprise-Client-Controllers/BCM5752 \| title = NetXtreme Gigabit Ethernet Controller with Integrated TPM1.2 for Desktops \| date = May 6, 2009 \| access-date = June 7, 2014 \| publisher = Broadcom \| archive-date = June 14, 2014 \| archive-url = https://web.archive.org/web/20140614134124/http://www.broadcom.com/products/Ethernet-Controllers-and-Adapters/Enterprise-Client-Controllers/BCM5752 \| url-status = live }}</ref> Line 201 ⟶ 203: Since July 28, 2016, all new Microsoft device models, lines, or series (or updating the hardware configuration of an existing model, line, or series with a major update, such as CPU, graphic cards) implement, and enable by default TPM 2.0. While TPM 1.2 parts are discrete silicon components, which are typically soldered on the motherboard, TPM 2.0 is available as a discrete (dTPM) silicon component in a single semiconductor package, an integrated component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s), and as a firmware (fTPM) based component running in a trusted execution environment (TEE) on a general purpose System-on-a-chip (SoC).<ref>{{cite web \| url=https://www.thewindowsclub.com/tpm-vs-ptt-differences \| title=TPM vs PTT: What are the main differences between these technologies? \| date=August 9, 2021 \| access-date=June 2, 2022 \| archive-date=February 12, 2025 \| archive-url=https://web.archive.org/web/20250212042620/https://www.thewindowsclub.com/tpm-vs-ptt-differences \| url-status=live }}</ref> === Virtual TPM === * [[Google Compute Engine]] was the first major cloud provider offering virtualized TPMs (vTPMs) as part of [[Google Cloud Platform\|Google Cloud]]'s Shielded VMs product.<ref>{{cite web\| url=https://cloud.google.com/shielded-vm\| title=Shielded VMs\| publisher=Google Cloud\| access-date=April 12, 2019\| archive-date=April 12, 2019\| archive-url=https://web.archive.org/web/20190412112007/https://cloud.google.com/shielded-vm/\| url-status=live}}</ref> [[Amazon Web Services]] followed in 2022, naming its vTPM offering "Nitro TPM".<ref>{{cite web\| url=https://aws.amazon.com/blogs/aws/amazon-ec2-now-supports-nitrotpm-and-uefi-secure-boot/\| title=Amazon EC2 Now Supports NitroTPM and UEFI Secure Boot\| publisher=AWS News Blog\| access-date=February 1, 2025}}</ref> * The libtpms library provides software emulation of a Trusted Platform Module (TPM 1.2 and TPM 2.0). It targets the integration of TPM functionality into hypervisors, primarily into Qemu.<ref>{{cite web \| url = https://github.com/stefanberger/libtpms \| title = libtpms Virtual TPM\| website = [[GitHub]]\| date = October 27, 2021\| access-date = June 29, 2021\| archive-date = January 4, 2025\| archive-url = https://web.archive.org/web/20250104032646/https://github.com/stefanberger/libtpms\| url-status = live}}</ref> === Operating systems === * [[Windows 11]] requires TPM 2.0 support as a minimum system requirement.<ref>{{Cite web\|last=Microsoft\|title=Windows 11 Specs and System Requirements {{!}} Microsoft\|url=https://www.microsoft.com/en-us/windows/windows-11-specifications\|access-date=2021-10-02\|website=Windows\|language=en-us\|archive-date=2022-05-31\|archive-url=https://web.archive.org/web/20220531013104/https://www.microsoft.com/en-us/windows/windows-11-specifications\|url-status=live}}</ref><ref>{{cite conference \| last = Chabaud \| first = Florent \| title = Setting Hardware Root-of-Trust from Edge to Cloud, and How to Use it \| book-title = Proceedings of the 29th Computer & Electronics Security Application Rendezvous \| pages = 115–130 \| publisher = C&ESAR 2022 \| ___location = Rennes, France \| date = November 15–16, 2022 \| editor1-last = le Guernic \| editor1-first = Gurvan \| url = https://ceur-ws.org/Vol-3329/paper-07.pdf \| access-date = 2024-01-08 \| archive-date = 2025-03-06 \| archive-url = https://web.archive.org/web/20250306105606/https://ceur-ws.org/Vol-3329/paper-07.pdf \| url-status = live }} Location: Université de Rennes 1, Campus de Beaulieu, IRISA/Inria Rennes, 263 avenue du Général Leclerc, 35042 RENNES cedex.</ref> On many systems TPM is disabled by default which requires changing settings in the computer's UEFI to enable it.<ref>{{Cite web\|date=2021-06-24\|title=Windows 11 update: TPM 2.0 and PC Health Check confusion\|url=https://www.slashgear.com/windows-11-tpm-2-0-update-system-requirement-confusion-24679866/\|url-status=live\|archive-url=https://web.archive.org/web/20210624203318/https://www.slashgear.com/windows-11-tpm-2-0-update-system-requirement-confusion-24679866/\|archive-date=June 24, 2021\|access-date=2021-06-24\|website=SlashGear\|language=en-US}}</ref> * [[Windows 8]] and later have native support for TPM 2.0. * [[Windows 7]] can install an official patch to add TPM 2.0 support.<ref>{{Cite web \|url=https://support.microsoft.com/en-us/topic/update-to-add-support-for-tpm-2-0-in-windows-7-and-windows-server-2008-r2-8ef7d943-995e-ee23-0c54-06600e368e1c \|title=Update to add support for TPM 2.0 in Windows 7 and Windows Server 2008 R2 - Microsoft Support \|access-date=2024-01-04 \|archive-date=2025-02-12 \|archive-url=https://web.archive.org/web/20250212025821/https://support.microsoft.com/en-us/topic/update-to-add-support-for-tpm-2-0-in-windows-7-and-windows-server-2008-r2-8ef7d943-995e-ee23-0c54-06600e368e1c \|url-status=live }}</ref> * [[Windows Vista]] through [[Windows 10]] have native support for TPM 1.2. * The Trusted Platform Module 2.0 (TPM 2.0) has been supported by the [[Linux kernel]] since version 34.200 (~~2012~~2015)<ref>{{Cite web \|url=https://www.phoronix.com/scan.php?page=news_item&px=Linux-3.20-TPM-2.0-Security \|title=TPM 2.0 Support Sent In For The Linux 3.20 Kernel - Phoronix \|access-date=April 5, 2020 \|archive-date=February 28, 2021 \|archive-url=https://web.archive.org/web/20210228102638/https://www.phoronix.com/scan.php?page=news_item&px=Linux-3.20-TPM-2.0-Security \|url-status=live }}</ref><ref>{{Cite web \|title=Linux kernel turns over release odometer to 4.0 \|url=https://www.zdnet.com/article/linux-kernel-turns-over-release-odometer-to-4-0/ \|access-date=2025-02-04 \|website=ZDNET \|language=en \|archive-date=2025-02-17 \|archive-url=https://web.archive.org/web/20250217184518/https://www.zdnet.com/article/linux-kernel-turns-over-release-odometer-to-4-0/ \|url-status=live }}</ref><ref>{{Cite web \|url=https://www.phoronix.com/scan.php?page=news_item&px=TPM-2.0-Security-Linux-4.4 \|title=TPM 2.0 Support Continues Maturing In Linux 4.4 - Phoronix \|access-date=April 5, 2020 \|archive-date=March 5, 2021 \|archive-url=https://web.archive.org/web/20210305070203/https://www.phoronix.com/scan.php?page=news_item&px=TPM-2.0-Security-Linux-4.4 \|url-status=live }}</ref><ref>{{Cite web \|url=https://www.phoronix.com/scan.php?page=news_item&px=Linux-4.4-TPM-2.0 \|title=With Linux 4.4, TPM 2.0 Gets Into Shape For Distributions - Phoronix \|access-date=April 5, 2020 \|archive-date=August 14, 2020 \|archive-url=https://web.archive.org/web/20200814003044/https://www.phoronix.com/scan.php?page=news_item&px=Linux-4.4-TPM-2.0 \|url-status=live }}</ref> === Platforms === Line 220 ⟶ 222: * [[Google]] includes TPMs in [[Chromebook]]s as part of their security model.<ref>{{cite web \|url = https://chrome.googleblog.com/2011/07/chromebook-security-browsing-more.html \|title = Chromebook security: browsing more securely \|work = Chrome Blog \|access-date = April 7, 2013 \|archive-date = April 25, 2016 \|archive-url = https://web.archive.org/web/20160425070152/https://chrome.googleblog.com/2011/07/chromebook-security-browsing-more.html \|url-status = live }}</ref> * [[Oracle Corporation\|Oracle]] ships TPMs in their X- and T-Series Systems such as T3 or T4 series of servers.<ref>{{cite web \| url= http://www.oracle.com/us/products/servers-storage/solaris/solaris-and-sparc-t4-497273.pdf \| title= Oracle Solaris and Oracle SPARC T4 Servers— Engineered Together for Enterprise Cloud Deployments \| publisher= Oracle \| access-date= October 12, 2012 \| archive-date= October 24, 2012 \| archive-url= https://web.archive.org/web/20121024150758/http://www.oracle.com/us/products/servers-storage/solaris/solaris-and-sparc-t4-497273.pdf \| url-status= live }}</ref> Support is included in [[Solaris (operating system)\|Solaris 11]].<ref>{{cite web \|url=http://docs.oracle.com/cd/E23824_01/html/821-1462/tpmadm-1m.html \|title=tpmadm \|type=manpage \|publisher=Oracle \|access-date=October 12, 2012 \|archive-date=November 14, 2012 \|archive-url=https://web.archive.org/web/20121114112129/http://docs.oracle.com/cd/E23824_01/html/821-1462/tpmadm-1m.html \|url-status=live }}</ref> * In 2006, with the introduction of first Macintosh models with Intel processors, Apple started to ship Macs with TPM. Apple never provided an official driver, but there was a port under [[GNU General Public License\|GPL]] available.<ref>{{Citation \| first = Amit \| last = Singh \| chapter-url = http://www.osxbook.com/book/bonus/chapter10/tpm/ \| title = OS X book \| chapter = Trusted Computing for Mac OS X \| access-date = August 2, 2011 \| archive-date = July 21, 2011 \| archive-url = https://web.archive.org/web/20110721080011/http://www.osxbook.com/book/bonus/chapter10/tpm/ \| url-status = live }}.</ref> Apple has not shipped a computer with TPM since 2006.<ref>{{cite web \| url = http://www.pcworld.com/article/157966/laptop_security.html \| title = Your Laptop Data Is Not Safe. So Fix It \| date = January 20, 2009 \| work = PC World \| access-date = August 22, 2013 \| archive-date = November 4, 2013 \| archive-url = https://web.archive.org/web/20131104211218/http://www.pcworld.com/article/157966/laptop_security.html \| url-status = live }}</ref> Starting in 2016, Apple products began adopting Apple's own trusted hardware component called "Secure Enclave", originally as a separate chip and later as an integrated part of Apple silicon CPUs. Apple Secure Enclave is not TPM-compatible. <ref>{{cite web \|title=A brief history of Mac enclaves and exclaves \|url=https://eclecticlight.co/2024/06/15/a-brief-history-of-mac-enclaves-and-exclaves/#:~:text=Intel%20Macs&text=A%20year%20later%2C%20in%20December,contemporaneous%20iPads%20and%20iPod%20Touch. \|website=The Eclectic Light Company \|access-date=1 February 2025}}</ref> * In 2011, Taiwanese manufacturer [[Micro-Star International\|MSI]] launched its Windpad 110W tablet featuring an [[Advanced Micro Devices\|AMD]] CPU and Infineon Security Platform TPM, which ships with controlling software version 3.7. The chip is disabled by default but can be enabled with the included, pre-installed software.<ref>{{cite web\|url=http://www.msi.com/product/windpad/WindPad-110W.html\|work=Winpad 110W\|title=TPM. Complete protection for peace of mind\|publisher=MSI\|access-date=May 20, 2013\|archive-date=May 13, 2013\|archive-url=https://web.archive.org/web/20130513043710/http://www.msi.com/product/windpad/WindPad-110W.html\|url-status=live}}</ref> Line 232 ⟶ 234: === Software === * [[Microsoft]] operating systems [[Windows Vista]] and later use the chip in conjunction with the included disk encryption component named [[BitLocker]]. Microsoft had announced that from January 1, 2015, all computers will have to be equipped with a TPM 2.0 module in order to pass [[Windows 8.1]] [[hardware certification]].<ref>{{cite web\| url = http://msdn.microsoft.com/en-us/library/windows/hardware/hh748188.aspx\| title = Windows Hardware Certification Requirements\| publisher = Microsoft\| access-date = July 23, 2013\| archive-date = June 29, 2021\| archive-url = https://web.archive.org/web/20210629081025/https://docs.microsoft.com/en-us/previous-versions/windows/hardware/cert-program/?redirectedfrom=MSDN\| url-status = live}}</ref> However, in a December 2014 review of the Windows Certification Program this was instead made an optional requirement. However, TPM 2.0 is required for [[InstantGo\|connected standby]] systems.<ref>{{cite web \|url = https://msdn.microsoft.com/en-us/library/windows/hardware/jj128256 \|title = Windows Hardware Certification Requirements for Client and Server Systems \|publisher = Microsoft \|access-date = June 5, 2015 \|archive-date = July 1, 2015 \|archive-url = https://web.archive.org/web/20150701150150/https://msdn.microsoft.com/en-US/library/windows/hardware/jj128256 \|url-status = live }}</ref> Virtual machines running on Hyper-V can have their own virtual TPM module starting with Windows 10 1511 and Windows Server 2016.<ref>{{cite web\|url=https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/what-s-new-in-hyper-v-on-windows\|title=What's new in Hyper-V on Windows Server 2016\|publisher=Microsoft\|access-date=March 24, 2017\|archive-date=March 25, 2017\|archive-url=https://web.archive.org/web/20170325113136/https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/what-s-new-in-hyper-v-on-windows\|url-status=live}}</ref> Microsoft Windows includes two TPM related [[command (computing)\|commands]]: {{Mono\|tpmtool}}, a utility that can be used to retrieve information about the TPM, and {{Mono\|tpmvscmgr}}, a [[command-line interface\|command-line]] tool that allows creating and deleting TPM virtual [[smart card]]s on a computer.<ref>[{{Cite web \|url=https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/tpmtool \|title=tpmtool \|{{!}} Microsoft Docs] \|access-date=2021-07-13 \|archive-date=2022-09-16 \|archive-url=https://web.archive.org/web/20220916165150/https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/tpmtool \|url-status=live }}</ref><ref>[{{Cite web \|url=https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/tpmvscmgr \|title=tpmvscmgr \|{{!}} Microsoft Docs] \|access-date=2021-07-13 \|archive-date=2022-05-09 \|archive-url=https://web.archive.org/web/20220509221318/https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/tpmvscmgr \|url-status=live }}</ref> == Endorsement keys == Line 240 ⟶ 242: These manufacturers typically provide their [[Certificate Authority\|certificate authority]] root (and sometimes intermediate) certificates on their web sites. * [[AMD]]<ref>{{citation \| title=AMD EK RSA Root Certificate \| url=https://ftpm.amd.com/pki/aia/264D39A23CEB5D5B49D610044EEBD121 \| access-date=2021-07-23 \| archive-date=2021-07-23 \| archive-url=https://web.archive.org/web/20210723184749/https://ftpm.amd.com/pki/aia/264D39A23CEB5D5B49D610044EEBD121 \| url-status=live }}</ref><ref>{{citation \| title=AMD EK ECC Root Certificate \| url=https://ftpm.amd.com/pki/aia/23452201D41C5AB064032BD23F158FEF \| access-date=2021-07-23 \| archive-date=2021-07-23 \| archive-url=https://web.archive.org/web/20210723184748/https://ftpm.amd.com/pki/aia/23452201D41C5AB064032BD23F158FEF \| url-status=live }}</ref><ref>{{citation \| title=AMD EK Ryzen 6000 RSA Intermediate Certificate \| url=https://ftpm.amd.com/pki/aia/51ADE34A2F8253525E2321AD63F7B197 \| access-date=2021-07-23 \| archive-date=2021-07-23 \| archive-url=https://web.archive.org/web/20210723184748/https://ftpm.amd.com/pki/aia/51ADE34A2F8253525E2321AD63F7B197 \| url-status=live }}</ref><ref>{{citation \| title=AMD EK Ryzen 6000 ECC Intermediate Certificate \| url=https://ftpm.amd.com/pki/aia/D30EE6F7557055BA66AD1A1DD1157D2C \| access-date=2021-07-23 \| archive-date=2021-07-23 \| archive-url=https://web.archive.org/web/20210723184748/https://ftpm.amd.com/pki/aia/D30EE6F7557055BA66AD1A1DD1157D2C \| url-status=live }}</ref> * [[Infineon]]<ref>{{citation\| title=Infineon Root Certificate \| url=https://www.infineon.com/cms/en/product/promopages/optiga_tpm_certificates/}}</ref> * [[Intel]]<ref>{{citation\| title=Intel EK Root Certificate \| url=https://upgrades.intel.com/content/CRL/ekcert/EKRootPublicKey.cer}}</ref><ref>{{citation \| title=Intel EK Intermediate Certificate \| url=https://upgrades.intel.com/content/CRL/ekcert/SPTHEPIDPROD_EK_Platform_Public_Key.cer \| access-date=2021-07-23 \| archive-date=2021-07-23 \| archive-url=https://web.archive.org/web/20210723150732/https://upgrades.intel.com/content/CRL/ekcert/SPTHEPIDPROD_EK_Platform_Public_Key.cer \| url-status=live }}</ref> * NationZ<ref>{{citation \| title = NationZ EK Root Certificate \| url = https://pki.nationz.com.cn/EkRootCA/EkRootCA.crt \| access-date = 2021-07-23 \| archive-date = 2021-07-23 \| archive-url = https://web.archive.org/web/20210723150732/https://pki.nationz.com.cn/EkRootCA/EkRootCA.crt \| url-status = live }}</ref><ref>{{citation\| title = NationZ EK Intermediate Certificate \| url=https://pki.nationz.com.cn/EkMfrCA001/EkMfrCA001.crt}}</ref><ref>{{citation\| title = NationZ EK Intermediate Certificate \| url=https://pki.nationz.com.cn/EkMfrCA002/EkMfrCA002.crt}}</ref><ref>{{citation \| title = NationZ EK Intermediate Certificate \| url = https://pki.nationz.com.cn/EkMfrCA003/EkMfrCA003.crt \| access-date = 2021-07-23 \| archive-date = 2021-07-23 \| archive-url = https://web.archive.org/web/20210723150736/https://pki.nationz.com.cn/EkMfrCA003/EkMfrCA003.crt \| url-status = live }}</ref> * [[Nuvoton]]<ref>{{citation\| title = Nuvoton EK Root Certificate 1110 \| url=https://www.nuvoton.com/security/NTC-TPM-EK-Cert/Nuvoton%20TPM%20Root%20CA%201110.cer}}</ref><ref>{{citation \| title = Nuvoton EK Root Certificate 1111 \| url = https://www.nuvoton.com/security/NTC-TPM-EK-Cert/Nuvoton%20TPM%20Root%20CA%201111.cer \| access-date = 2021-07-26 \| archive-date = 2021-07-26 \| archive-url = https://web.archive.org/web/20210726215035/https://www.nuvoton.com/security/NTC-TPM-EK-Cert/Nuvoton%20TPM%20Root%20CA%201111.cer \| url-status = live }}</ref><ref>{{citation\| title = Nuvoton EK Root Certificate 2110 \| url=https://www.nuvoton.com/security/NTC-TPM-EK-Cert/Nuvoton%20TPM%20Root%20CA%202110.cer}}</ref><ref>{{citation\| title = Nuvoton EK Root Certificate 2111 \| url=https://www.nuvoton.com/security/NTC-TPM-EK-Cert/Nuvoton%20TPM%20Root%20CA%202111.cer}}</ref><ref>{{citation\| title = Nuvoton EK Root Certificate 2112 \| url=https://www.nuvoton.com/security/NTC-TPM-EK-Cert/Nuvoton%20TPM%20Root%20CA%202112.cer}}</ref> * [[STMicroelectronics\|ST Micro]]<ref>{{citation \| title = ST Micro EK GlobalSign Certificate \| url = https://secure.globalsign.com/cacert/gstpmroot.crt \| access-date = 2021-07-23 \| archive-date = 2021-07-23 \| archive-url = https://web.archive.org/web/20210723150736/https://secure.globalsign.com/cacert/gstpmroot.crt \| url-status = live }}</ref><ref>{{citation \| title = ST Micro EK Root Certificate \| url = https://secure.globalsign.com/cacert/stmtpmekroot.crt \| access-date = 2021-07-23 \| archive-date = 2021-07-23 \| archive-url = https://web.archive.org/web/20210723150731/https://secure.globalsign.com/cacert/stmtpmekroot.crt \| url-status = live }}</ref><ref>{{citation\| title = ST Micro EK Intermediate Certificate \| url=https://secure.globalsign.com/cacert/stmtpmekint01.crt}}</ref><ref>{{citation \| title = ST Micro EK Intermediate Certificate \| url = https://secure.globalsign.com/cacert/stmtpmekint02.crt \| access-date = 2021-07-23 \| archive-date = 2021-07-23 \| archive-url = https://web.archive.org/web/20210723150734/https://secure.globalsign.com/cacert/stmtpmekint02.crt \| url-status = live }}</ref><ref>{{citation\| title = ST Micro EK Intermediate Certificate \| url=https://secure.globalsign.com/cacert/stmtpmekint03.crt}}</ref><ref>{{citation\| title = ST Micro EK Intermediate Certificate \| url=https://secure.globalsign.com/cacert/stmtpmekint04.crt}}</ref><ref>{{citation \| title = ST Micro EK Intermediate Certificate \| url = https://secure.globalsign.com/cacert/stmtpmekint05.crt \| access-date = 2021-07-23 \| archive-date = 2021-07-23 \| archive-url = https://web.archive.org/web/20210723150735/https://secure.globalsign.com/cacert/stmtpmekint05.crt \| url-status = live }}</ref><ref>{{citation\| title = ST Micro EK GlobalSign ECC Certificate \| url=https://secure.globalsign.com/cacert/tpmeccroot.crt}}</ref><ref>{{citation\| title = ST Micro EK ECC Root Certificate \| url=https://secure.globalsign.com/stmtpmeccroot01.crt}}</ref><ref>{{citation\| title = ST Micro EK ECC Intermediate Certificate \| url=https://secure.globalsign.com/stmtpmeccint01.crt}}</ref> == Software libraries == To utilize a TPM, the user needs a software library that communicates with the TPM and provides a friendlier API than the raw TPM communication. Currently, there are several such open-source TPM 2.0 libraries. Some of them also support TPM 1.2, but mostly TPM 1.2 chips are now deprecated and modern development is focused on TPM 2.0. Typically, a TPM library provides an API with one-to-one mappings to TPM commands. The TCG specification calls this layer the System API (SAPI). This way, the user has more control over the TPM operations, ~~however~~but the complexity is high. To hide some of the complexity, most libraries also offer simpler ways to invoke complex TPM operations. The TCG specification call these two layers Enhanced System API (ESAPI) and Feature API (FAPI). There is currently only one stack that follows the TCG specification. All the other available open-source TPM libraries use their own form of richer API. Line 271 ⟶ 273: \|{{Yes}} \|{{Yes}} \|Maybe{{efn\|There is an application note{{r\|r={{Cite web\|last=AG\|first=Infineon Technologies\|title=~~OPTIGA™~~OPTIGA TPM SLI 9670 A-TPM board - Infineon Technologies\|url=https://www.infineon.com/cms/de/product/evaluation-boards/optiga-tpm-sli9670-a-tpm/\|access-date=2020-11-20\|website=www.infineon.com\|archive-date=August 6, 2020\|archive-url=https://web.archive.org/web/20200806175036/https://www.infineon.com/cms/de/product/evaluation-boards/optiga-tpm-sli9670-a-tpm/\|url-status=live}}}} about an example project for the AURIX 32-bit SoC using the tpm2-tss library.}} \|- \|ibmtss<ref>{{Cite web\|title=IBM TSS for TPM 2.0\|url=https://sourceforge.net/projects/ibmtpm20tss\|access-date=June 2, 2021\|archive-date=June 29, 2021\|archive-url=https://web.archive.org/web/20210629081044/https://sourceforge.net/projects/ibmtpm20tss/\|url-status=live}}</ref><ref>{{Cite web\|title = IBM TSS for TPM 2.0\|website = [[GitHub]]\|url = https://github.com/kgoldman/ibmtss\|access-date = June 2, 2021\|archive-date = June 29, 2021\|archive-url = https://web.archive.org/web/20210629081026/https://github.com/kgoldman/ibmtss\|url-status = live}}</ref> Line 311 ⟶ 313: {{noteslist}} These TPM libraries are sometimes also called TPM stacks, because they provide the interface for the developer or user to interact with the TPM. As seen from the table, the TPM stacks abstract the operating system and transport layer, so the user could migrate one application between platforms. For example, by using TPM stack API the user would interact the same way with a TPM, regardless if the physical chip is connected over SPI, ~~I2C~~I<sup>2</sup>C or LPC interface to the Host system. == See also ==