IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [tpm]

A Trusted Platform Module (TPM) is a secure coprocessor found in some x86-based computers that provides cryptographic operations and system integrity measurements.

A Trusted Platform Module is a secure cryptoprocessor defined by the Trusted Computing Group and found on some x86 processors. It performs platform measurements that an operating system can use to ensure platform integrity, thus implementing a form of secure boot. The TPM also implements some common cryptographic algorithms. Each TPM contains a unique key and can therefore be used to authenticate the platform and to encrypt data that will not be decryptable without that particular TPM.

TrouSerS is an open-source TCG software stack (a TPM API). Microsoft's Bitlocker on Windows Vista and above leverages the TPM when present.

263 questions
22
votes
4 answers

Do a TPM's benefits outweigh the risks?

Is TPM really worth it? According to Wikipedia it: Provides a generator of random numbers (that's okay) Facilities for the secure generation of cryptographic keys for limited uses (that's okay too I guess) Remote attestation (doesn't sound…
Gillian
  • 512
  • 1
  • 3
  • 13
8
votes
1 answer

Purpose of TPM "ownership" and "owner password"

I have a laptop with TPM 2.0, dual-booting Windows 10 and Linux. By default, Windows automatically takes ownership of the TPM with a throwaway password, but can be configured to store it in the Registry. However, Linux seems to have access to the…
grawity
  • 1,716
  • 15
  • 19
5
votes
1 answer

What's the difference between Secure Boot and Attestation?

What's the exact difference between secure boot and device attestation. Nowadays with secure devices both are used, even at the same time, when in the core they do similar things, which is verification of the software running on the platform.
TrinityTonic
  • 271
  • 3
  • 14
5
votes
3 answers

What makes TPM chip Endorsement Key Non-migratable?

I know that the endorsement key (EK) of TPM is stored in non-volatile memory (e.g. EEPROM), which is non-migratable to ouside the TPM. Like EK, the Storage Root Key (SRK) is also non-migratable. What makes them non-migratable? It is achieved by some…
TJCLK
  • 838
  • 8
  • 25
4
votes
1 answer

Laptop TPM with physical presence key operations?

It seems most systems have a TPM 2 module in them now, and it seems those modules often have a physical presence pin. Are these pins actually used by any typical laptop manufactures? I have a laptop and a YubiKey. The YubiKey requires a physical…
ARandomBob
  • 41
  • 1
4
votes
3 answers

TPM 1.2 or Intel PTT

While configuring a Lenovo Thinkpad T450s I stumbled across the option choosing how one would like to implement TPM. It gives the options: Hardware TPM chip with TPM 1.2 mode Intel PPT with TPM 2.0 mode Can somebody advise me which option is…
David Newton
  • 51
  • 1
  • 3
4
votes
0 answers

TPM ownership, what is the low level process?

Ok, starting with some ground concepts, just incase I'm mistaken: Ownership of the TPM simply means to have the owner password. Taking ownership means to clear the tpm and to initialize the owner password. 1) When taking ownership, is the…
Michael
  • 351
  • 2
  • 4
  • 11
3
votes
0 answers

Using TPM persisted RSA key in Windows and Linux

Our solution includes a Windows tool that creates/opens a persisted RSA key stored in the TPM and encrypts/decrypt data using it. This works flawlessly. Now we need to decrypt that data but from a Linux OS on that same machine. Can it be done? The…
Assaf Levy
  • 131
  • 3
3
votes
1 answer

Is the TPM 1.2 Direct Anonymous Attestation Anonymity Revocation Still useful for random base names?

I have implemented the Trusted Computing Group's TSS Version 1.2 Direct Anonymous Attestation according to their specification and this includes the Anonymity Revocation. There have been papers discussing privacy flaws among corrupt administrators…
Bill Martin
  • 31
  • 3
2
votes
1 answer

Can I set up a TPM2 policy that ANDs multiple OR policies?

I'd like to define a TPM access policy that allowlists multiple different values for certain PCRs. Hence, i'd like a policy like this: (PolicyOR(PolicyPCR(value1,pcr4),PolicyPCR(value2,pcr4),PolicyPCR(value3,pcr4)) AND…
user175104
  • 121
  • 1
2
votes
1 answer

What are the security differences between TPM1.2, TPM2.0, Intel PTT, and AMD fTPM?

As far as I am aware, to the OS, PTT, and fTPM are indistinguishable from TPM2.0. What I am curious about, are the physical security differences between the different TPM providers. A dedicated TPM2 module is susceptible to probing of the data lines…
Kalcifer
  • 173
  • 6
2
votes
1 answer

TPM PCRs not reset on TPM reset or on reboot

I have a Raspberry Pi with a TPM chip, where I use the TPM for disk encryption. The disk encryption password is sealed to the TPM using PCR register 0. I extend the PCR on the start of the system with certain values, but I found out that PCR 0 only…
Jan Wytze
  • 133
  • 5
2
votes
3 answers

Can a Trusted Platform Module be used as a Trojan Horse?

Does it matter where I buy my TPM from? What are the downsides of buying a $15TPM over Ebay? Can a TPM be a Trojan horse that compromises my security?
Lord Loh.
  • 559
  • 4
  • 7
2
votes
1 answer

Can a TPM chip check if the bios is still in it's factory setting?

Can TPM (trusted platform module) be used to verify if a used laptop's bios, the bootloader and related components have not been tampered with in the past, i. e. whether those components are still in their factory setting state? Or can a TPM only…
Manuel
  • 33
  • 3
2
votes
1 answer

TPM and remote attestation

I am currently trying to figure out just how remote attestation for a TPM works in combination with the PCR-values. Is it true that the PCR values are only measured on system boot and cannot be changed until after we boot the computer once again?…
Sushiman
  • 55
  • 5
1
2 3