The Trusted Platform Module (TPM) is a chip that adds basic security functions to a computer or similar device. These functions can be used, for example, for license and data protection. In some respects, the chip behaves like a built-in smart card, but with the important difference that it is not tied to a specific user, but to the local computer. In addition to being used in PCs and notebooks, the TPM can be integrated into PDAs, mobile phones, and consumer electronics. A device with TPM, a specially adapted operating system and corresponding software together forms a Trusted Computing (TC) platform. Such a “trusted platform” can no longer be used contrary to the interests of the manufacturer, provided that the manufacturer has set restrictions. A possible advantage for a normal user of such a system is the protection against software manipulation by unauthorized third parties.
The chip is currently mostly passive and cannot directly influence the boot process or operation. It contains a unique cryptographic key and can therefore be used to identify the computer. However, this is only possible if the owner has allowed this information to be read. On x86-based PCs, the TPM could previously be completely disabled in the BIOS or UEFI settings (BIOS setup), so that none of its functions are available. However, there are more and more applications that only run on a TC platform with TPM enabled, as is the case with Windows since version 11.
Distribution of Trusted Platform Module (TPM)
For PCs, a TPM 2.0 has been both present and enabled by default since 2021 to meet the minimum requirements of Windows 11, although it is often present in many models since around 2015, but not enabled (by default in the BIOS setup). On the software side, the TPM is supported by various vendors. There are also mixed forms, for example when the TPM module is integrated into the Ethernet chip (Broadcom).
---
A TPM has been installed by well-known PC and notebook manufacturers since about 2010 (version 1.x), but was initially reserved for the product series for professional applications. After the availability of version 2.0 in 2013, most manufacturers successively replaced TPM 1.2 with an fTPM 2.0, which in turn could initially only be activated in the BIOS setup for more expensive product series. Since about 2015, many motherboards of desktop PCs and servers have at least one TPM header into which the TPM module can be plugged. Since around 2015, most PC systems have also had an fTPM (firmware TPM) built into the processor, SoC or chipset, which may need to be enabled in the BIOS setup. Some vendors released firmware updates, including the ability to upgrade from TPM version 1.2 to 2.0. For PCs from 2021 onwards, there is usually no need for action, as Windows 11 requires TPM 2.0.
Criticism
TPM chips have so far only been used to a limited extent, as they severely limit users’ ability to control. For example, keeping unwanted software away can affect both virus software and competing software.
Several experts have described that the use of Windows and TPM 2.0 causes a “loss of control over operating system and hardware’. In particular, on hardware operated with a TPM 2.0, Windows can cause error conditions due to unintentional errors on the part of the hardware or operating system manufacturer, but also on the part of the owner of the IT system, which prevent further operation of the system. This can go so far that even the “hardware is permanently unusable”. These situations are unacceptable for federal administration and other users, especially on critical infrastructures, and also criticizes the fact that sabotage is possible in this way.
At the beginning of 2022, it became known that under certain circumstances (on Windows 11 21H2), the fTPM integrated on AMD motherboards causes performance degradation. A UEFI update is required to resolve the issue.
Tagged With lovelyerz