While configuring a Lenovo Thinkpad T450s I stumbled across the option choosing how one would like to implement TPM.
It gives the options:
Can somebody advise me which option is currently the more secure option? (To be used with Windows 10.) I believe I read some time ago that some TPM implementations are vulnerable.
TPM is supposed to be implemented in hardware, but the Intel chipset on the motherboard (Platform Controller Hub) which contains the Intel Management Engine has a TPM implemented in software running on the chipset (not on the CPU) which is secure as long the chipset and its firmware are secure.
There have been security problems in Intel ME firmware, but as long as you will get firmware updates from Lenovo for as long as you plan to use it, it's fine. You will be unable to install firmware fixes Intel makes available without Lenovo's help, so make sure they'll support that specific model for as long as you need. If they, for example, require you to buy extra years of warranty just to download updates, that's a ripoff.
The real hardware TPM chip can also have security issues, and you probably remember the ROCA vulnerability. In that case too, you needed support from the OEM to install a firmware update in the TPM chip, so I guess the "patchibility" of both options is about the same.
The security track record should be better for the hardware TPM, because that's their main business while the TPM in Intel ME (and the rest of Intel ME) is not Intel's main business, and we know they have not consulted their internal security people on most design decisions for decades and it's coming to bite them in the behind.
The hardware chip being only TPM 1.2 and not TPM 2.0 is kinda weird. TPM 2.0 is not a new standard (released 2014).
I think I would choose the hardware chip.
Trusted Platform Module TPM is a dedicated microcontroller i.e. it's hardware; you can't change it with a configuration option. IBM ThinkPad T40 doesn't have TPM 1.2 nor TPM 2.0, but older IBM Embedded Security Subsystem 2.0 (Atmel 97SC3201).
I would choose TPM 2.0 as its recommended for Win10. if vulnerabilities appear in the future, it would likely be patched by a Win10 quality update, which is automatic, but vulnerabilities in the TPM 1.2 chip have to be done through the manufacturer, which is manual, and there are supposed weaknesses in the 1.2 spec that prompted 2.0 in the first place.
