Introduction to TPMs

In the past, I've encountered a lot of confusion about what a Trusted Platform Module (TPM) is, what one can do, and the set of problems one can solve. This post is intended to be the guide I wished I could point people at for that sort of information.

Another post will address actually writing code to use a TPM.

What is a TPM?

A TPM is, effectively, a cryptographic coprocessor. Generally it takes the form of a small chip that lives on your computer's motherboard and can be used to perform a variety of cryptographic services: securely storing keys, encrypting data, and so on. By pushing this functionality onto a separate hardware device, it becomes much more difficult for an attacker to extract information on your data. For example, when decrypting with a TPM, the key is never loaded into main memory, so it's impossible for an attacker to steal it.

Where can I find one?

At this point, almost any commercial desktop computer will have a TPM built in, so if you buy a computer at retail it'll (most likely!) have one.

The primary exception to this rule is Apple. For a brief period of time in 2006, they included a TPM in all of their devices, but since each TPM includes a unique key, this led to customer concerns about using that key to uniquely identify and track users. As such, for 'privacy reasons' no Apple computer has included a TPM since 2006.

Finally, for cost reasons, they're typically not included on motherboards sold as separate components. Some do include the required headers, though, so if you're interested you can pick up the TPM separately.

What can a TPM do?

In general, a TPM can do the following:

  • Generate random bytes (and by extension, keys)
  • Compute hashes of data
  • Generate or verify a digital signature
  • perform public-key encryption and decryption
  • Store some number of asymmetric keys
  • Store a small amount of data

Finally, every TPM has a unique key burned into its hardware; this key cannot be released from the device. This means that you can form a key hierarchy based on the TPM-unique key, ensuring that any data protected with a these keys can only be decrypted by someone with physical access to the device. In other words, the TPM provides a hardware root of trust.

The exact set of algorithms supported by a device are determined by which of the multiple TPM specifications it conforms to. For example, TPM 1.2 requires SHA-1 and RSA, while TPM 2.0 requires support for SHA-2, AES-128, and elliptic-curve crypto over a particular curve. Even then, support is device-specific; a TPM 2.0 device may implement AES-256 but is not required to.

Applications

These cryptographic primitives can be used for any number of higher-level tasks. One particularly-common one is to provide an attestation: reliable, cryptographic evidence about the software that your device is running. Broadly speaking this works by using the TPM to compute a secure, signed hash of system files, which can then be verified a remote device to determine whether those files have been corrupted.

Another common application is full-disk encryption. By generating an AES key, encrypting files with that key, then protecting that key with another key protected by the TPM, we can ensure that the AES key (and by extension the files protected by the AES key) can only be decrypted by someone with physical access to the machine that performed the encryption. Furthermore, using a form of the attestation process mentioned above, we can verify that the software requesting file decryption is uncorrupted and allowed to do so.

What can't a TPM do?

While flexible, a TPM is not a panacea for your cryptographic woes. The primary limitation is that, as a small, separate microchip, it is sloooow: throughput for RSA-2048 decryption on the TPM 2.0 on my device is on the order of a few Kb/s. This obviously places severe limitations on the amount of data that can be processed solely on the TPM itself.

Because its onboard storage is typically quite small - measured in kilobytes more than megabytes - you can't store lots of AES keys or other unstructured data on them.

Finally, the set of supported algorithms is limited. The TPM 2.0 spec is not yet finalized, though many devices support it in its current form, but it requires only AES-128, RSA-2048, ECC over one particular curve, and so on. And because it's a hardware device, adding support for new algorithms is not really possible.