Trusted Platform Module (TPM) is an independent component that monitors the state of a system and provides data protection using encryption. TPM can be implemented as a separate chip in a device or as software, but a hardware TPM is considered more reliable.
TPM is found in most modern desktops and laptops, where it is used for disk encryption, authentication and access control, as well as to protect licensed products from modification or copying.
Roots of Trust
An important part of TPM is Roots of Trust (RoT) — elements of the system that must be trusted unconditionally, since it is not possible to check that their behavior is normal. Trust in these elements is achieved through certification confirming that a particular RoT implementation meets security standards.
TPM includes three RoTs:
- Root of Trust for Measurement (RTM), the RoT responsible for measuring the state of the system
- Root of Trust for Storage (RTS), the RoT responsible for storing data
- Root of Trust for Reporting (RTR), the RoT responsible for generating reports
Trusted Platform Module device
TPM includes the following components:
- An I/O unit that manages the flow of information between TPM and the rest of the system
- A cryptographic processor responsible for key generation, encryption/decryption, and hashing
- Non-volatile memory for storing data that should not be reset when the power is off, in particular some cryptographic and authentication data
- Platform Configuration Registers (PCR), which contain information about system integrity
- An authorization subsystem responsible for verifying commands received by TPM before their execution.
How a Trusted Platform Module works
A TPM module runs its own firmware, independent of the device’s operating system. It can receive and execute commands, and store data and provide it on demand. The TPM cryptoprocessor can generate random numbers, encryption keys and digital signatures, calculate hashes, and encrypt data using symmetric and asymmetric algorithms. In particular, TPM encrypts data-protection keys on the computer in such a way that without the TPM they become unusable. Among the tools that use TPM is software-based full disk encryption, such as BitLocker.
In addition, TPM can perform system state monitoring. In particular, the module checks for signs of external tampering with its hardware and software. If it detects any significant changes, it can deny access to protected data.