{"id":426012,"date":"2017-09-21T08:27:54","date_gmt":"2017-09-21T15:27:54","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/research\/?post_type=msr-project&p=426012"},"modified":"2020-03-13T09:27:25","modified_gmt":"2020-03-13T16:27:25","slug":"the-trusted-platform-module-tpm","status":"publish","type":"msr-project","link":"https:\/\/www.microsoft.com\/en-us\/research\/project\/the-trusted-platform-module-tpm\/","title":{"rendered":"Trusted Platform Module (TPM)"},"content":{"rendered":"

Overview<\/h2>\n

Microsoft has led the architecture and adoption of the TPM since its inception.\u00a0 Microsoft invented and contributed the attestation, sealing<\/em> and Platform Configuration Register<\/em> (PCR) features to the original TPM, and contributed to the overall design.<\/p>\n

More recently, Microsoft architected and and edited the TPM2.0 specification (opens in new tab)<\/span><\/a>. \u00a0Many new concepts and features were introduced with TPM2.0, including crypto-agility, easier management, a more flexible authorization model, and better extensibility. \u00a0TPM2.0 devices are now available from many vendors, and are incorporated into most business class PCs and many servers.\u00a0 TPM2.0 is also making increasing inroads into network equipment, mobile and IoT devices.<\/p>\n

The TPM2.0 specification is unique in that it is machine readable<\/em>.\u00a0 Most of the normative behavioral specification is written in a subset of the C programming language, and the TPM programming interface is defined in machine-readable tables.\u00a0 This allows vendors to quickly build high-quality and interoperable TPM implementations.<\/p>\n

The TPM is an evolving standard:\u00a0 Individuals, organizations and governments that would like to participate in its growth should join the Trusted Computing Group (opens in new tab)<\/span><\/a> (TCG.)\u00a0 TCG has many TPM-related standards activities, including specifications that describe how TPMs are built into platforms (opens in new tab)<\/span><\/a>, standardized software-stacks (opens in new tab)<\/span><\/a> for building TPM applications, as well as protocol design (opens in new tab)<\/span><\/a> and digital certificate (opens in new tab)<\/span><\/a> profiles.<\/p>\n

The TPM is both an industry (opens in new tab)<\/span><\/a> and international standard (opens in new tab)<\/span><\/a> (ISO\/IEC) specification with wide international support (opens in new tab)<\/span><\/a>.<\/p>\n

TPM in a Nutshell<\/h2>\n

The TPM is a low-cost, but powerful and flexible, crypto-processor.\u00a0 A TPM does many of the things that a smart-card or hardware security module (HSM) does \u2013 for example, it is able to create, manage and use cryptographic keys, as well as store confidential data.\u00a0 But a TPM is intimately tied into how a computer boots and runs, which means it is far more powerful and useful than a simple \u201csmart-card on the motherboard.\u201d<\/p>\n

For example, platforms that incorporate TPMs \u201cmeasure\u201d and log the software that boots on the device.\u00a0 The resulting boot-log can be used to verify that devices are running known-software and are up-to-date using a TPM feature called quoting<\/em> or attestation<\/em>.\u00a0 The boot-log can also be used to protect keys for disk encryption, because the TPM incorporates a feature called sealing <\/em>that can be used to make sure that the encryption key is only disclosed to authorized software, and not to disk-cracking tools.<\/p>\n

Other advanced TPM features include a secure clock, monotonic counters, a non-volatile storage facility, and very flexible and secure mechanisms for key management operations like key import and export.<\/p>\n

More information on how TPMs work and how that they can be used to solve common security problems can be found in A Practical Guide to TPM2.0 (opens in new tab)<\/span><\/a>.<\/p>\n

Microsoft Research TPM Resources<\/h2>\n

In addition to continuing to develop and maintain the TPM reference implementation, Microsoft has open-sourced software libraries and solutions that allow TPM-based applications to be built.<\/p>\n