What is a TPM?
The abbreviation TPM stands for Trusted Platform Module. It is a chip that provides basic security functions on a hardware basis. It can be used to ensure the integrity of a system and platforms such as computers and servers or other electronic devices such as smartphones. The chip is protected from tampering by security mechanisms and, for example, generates, provides, stores, or controls the use of cryptographic keys. Unlike a smart card or security token, the TPM is not tied to a specific user but is used by the system and the software installed on it.
Base certificates of a Trusted Platform Module
Basic certificates of a TPM are:
- Endorsement Certificate
- Platform certificate
- Conformance Certificate
- Validation Certificate
The Endorsement Certificate ensures that the Trusted Platform Module comes from an authorized manufacturer and confirms the authenticity of the module. The certificate is permanently stored on the module and never leaves it.
The Platform Certificate confirms that the system is a trusted platform with a valid TPM and that the components meet specifications. It is issued by the manufacturer of the device, such as the laptop. The Conformance Certificate proves that the TPM has been implemented correctly.
The task of the Validation Certificate is to prove compliance with the specifications when implementing components such as graphics cards. Other components of the Trusted Platform Module include the unique Storage Root Key (SRK) and Roots of Trust.
Supported functions of a Trusted Platform Module
The Trusted Platform Module supports various functions. It can bind data to a single TPM by sealing it. The data is encrypted with a hash value for this purpose. For the protection of cryptographic keys, it is possible to generate, use and securely store the keys within the module. They are protected against both software and hardware attacks.
The TPM can also store keys outside the module, for example on a hard disk. Other functions include secure random number generation, remote attestation, and the storage of system states.