Trusted Platform Module (TPM)
What is Trusted Platform Module (TPM)?
Trusted Platform Module (TPM)Standards-based security chip soldered to a mainboard or implemented in firmware that provides hardware-rooted key storage, attestation, and measured boot.
A TPM is a TCG-standardized cryptoprocessor that supplies a hardware root of trust for endpoint security. The current standard is TPM 2.0, available as a discrete chip (dTPM), firmware-based (fTPM), or virtual (vTPM) variants. It offers key generation and sealing, RSA/ECC signing, PCR-based measured boot, monotonic counters, and remote attestation. Operating systems use the TPM to anchor BitLocker, Windows Hello, FileVault, dm-verity, Linux Unified Key Setup, and platform identity. TPM 2.0 is a Windows 11 requirement. Limitations include side-channel attacks on older firmware, the TPM-sniffing attack on plaintext SPI buses, and limited resistance against a physically present attacker.
● Examples
- 01
BitLocker sealing the disk encryption key to TPM PCRs so the disk only unlocks on a trusted boot path.
- 02
Cloud VM using a vTPM for remote attestation against a confidential compute service.
● Frequently asked questions
What is Trusted Platform Module (TPM)?
Standards-based security chip soldered to a mainboard or implemented in firmware that provides hardware-rooted key storage, attestation, and measured boot. It belongs to the Cryptography category of cybersecurity.
What does Trusted Platform Module (TPM) mean?
Standards-based security chip soldered to a mainboard or implemented in firmware that provides hardware-rooted key storage, attestation, and measured boot.
How does Trusted Platform Module (TPM) work?
A TPM is a TCG-standardized cryptoprocessor that supplies a hardware root of trust for endpoint security. The current standard is TPM 2.0, available as a discrete chip (dTPM), firmware-based (fTPM), or virtual (vTPM) variants. It offers key generation and sealing, RSA/ECC signing, PCR-based measured boot, monotonic counters, and remote attestation. Operating systems use the TPM to anchor BitLocker, Windows Hello, FileVault, dm-verity, Linux Unified Key Setup, and platform identity. TPM 2.0 is a Windows 11 requirement. Limitations include side-channel attacks on older firmware, the TPM-sniffing attack on plaintext SPI buses, and limited resistance against a physically present attacker.
How do you defend against Trusted Platform Module (TPM)?
Defences for Trusted Platform Module (TPM) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Trusted Platform Module (TPM)?
Common alternative names include: TPM 2.0.
● Related terms
- cryptography№ 981
Secure Boot
UEFI feature that verifies the cryptographic signature of every boot component, refusing to launch a bootloader, kernel, or driver not signed by a trusted authority.
- cryptography№ 461
Hardware Security Module (HSM)
Tamper-resistant hardware appliance that generates, stores, and uses cryptographic keys without ever exposing the raw key material to the operating system.
- cryptography№ 462
Hardware Token
Physical device that stores cryptographic secrets and performs authentication operations, used as a possession factor in multi-factor authentication.
- cryptography№ 248
Cryptographic Key
A high-entropy secret or public value that parameterizes a cryptographic algorithm to encrypt, decrypt, sign or authenticate data.
- cryptography№ 419
FIPS 140 / FIPS 140-3
US federal standard, maintained by NIST, that defines security requirements for cryptographic modules and their certification through accredited labs.
- cryptography№ 1260
YubiKey
Family of hardware security keys from Yubico that implement FIDO2, WebAuthn, U2F, PIV smartcard, OpenPGP, and OTP for phishing-resistant authentication.
● See also
- № 829PKCS#11