TPM - Trusted Platform Module
About 2 min read
A TPM (Trusted Platform Module) is a hardware-based security chip that generates and stores cryptographic keys, verifies device integrity, and supports secure boot. Against attacks that software alone cannot fully prevent (such as bootkits and firmware tampering), it provides a hardware-level root of trust. The underlying design philosophy is to store encryption keys in a dedicated chip isolated from the OS and applications, making it physically difficult for malware to steal the keys.
Differences Between TPM 1.2 and TPM 2.0
The TPM specification is developed by the TCG (Trusted Computing Group), and TPM 2.0 is now the mainstream standard. The transition from TPM 1.2 to 2.0 was not merely a version upgrade but a fundamental overhaul of the architecture.
| Item | TPM 1.2 | TPM 2.0 |
|---|---|---|
| Cryptographic algorithms | Fixed to RSA + SHA-1 | RSA, ECC, AES, SHA-256, etc. (extensible) |
| Key hierarchy | A single SRK (Storage Root Key) | Multiple hierarchies (Platform, Storage, Endorsement) |
| PCR banks | SHA-1 only | Multiple hash algorithms run in parallel |
| Authorization method | HMAC only | HMAC + policy-based authorization |
The fact that TPM 1.2 was fixed to SHA-1 is a fatal limitation now that SHA-1's vulnerabilities have been demonstrated. TPM 2.0 is designed to allow algorithms to be swapped out, so it can adapt to the future obsolescence of cryptographic algorithms.
Windows 11 and the TPM 2.0 Requirement
Microsoft's decision to make TPM 2.0 a mandatory system requirement for Windows 11 sparked considerable debate. Behind this decision lies the rise of firmware-level attacks. Because bootkits and rootkits operate before the OS boots, OS-level security software cannot detect them. Secure boot powered by TPM 2.0 verifies code integrity at each stage of the boot process and blocks the execution of tampered components.
The Secure Boot Verification Flow
Firmware verification
Record measurements in PCR
Signature verification
Integrity check
Unseal the key
Integration with BitLocker
Windows BitLocker drive encryption works in close coordination with the TPM. The encryption key is "sealed" inside the TPM and is released only when the boot process measurements (PCR: Platform Configuration Register) are normal. In other words, even if you connect the hard disk to a different PC, it cannot be decrypted because the TPM's sealing conditions are not met. Whereas an HSM handles server-side key management, the TPM handles key management on client devices, forming a complementary relationship.
fTPM and dTPM
There are two types of TPM implementation: firmware TPM (fTPM) and discrete TPM (dTPM).
- Runs in a trusted execution environment within the CPU
- No additional chip required, so low cost
- AMD PSP and Intel PTT are representative examples
- Can be affected by CPU vulnerabilities
- An independent, dedicated chip
- Physically isolated with high tamper resistance
- Suited for servers and high-security devices
- Costs more and occupies board space
For general business use, an fTPM is sufficient, but in environments that demand advanced security, such as military, finance, and healthcare, a dTPM is recommended. TPMs are also used as authenticators for FIDO/WebAuthn, serving as a foundational technology for passwordless authentication combined with biometric authentication. Be sure to also see the risks of biometric authentication and the challenges of migrating to passkeys.TPM and hardware security books (Amazon) are also useful for learning the implementation details.
Was this article helpful?