TPM stands for Trusted Platform Module, or Trusted Platform Module in Spanish, and is the name of the specification that details a secure cryptoprocessor that stores encryption keys with which to protect information; In other words, we are talking about a specific component for security and more specifically for data encryption, in this case referring to a PC.
This is how TPM is implemented on a PC motherboard
As mentioned in its definition, the trusted platform module is a module, and although this word may suggest that we are treating a physical element, it is not necessarily the case, since as we are going to explain below we can even virtualize it if we want to (so, effectively, you could “trick” the operating system into thinking that you have a physical module installed so that you can install Windows 11).
In any case, the basic essence of the TPM is that we are talking about a physical chip, and more specifically a cryptoprocessor in charge not only of storing but also of managing the encryption keys that can be used, for example, to encrypt the information of the hard disk but also to store passwords in a safe space isolated from the rest. And this is one of its fundamental characteristics: isolation. Only the CPU should be able to access the TPM through a secure channel, so that no outside interaction other than the CPU can be done with these secure keys.
For this, we can find a total of five types of TPM implementations on a PC motherboard, which are as follows.
With a dedicated TPM module connected to motherboards
It is not necessary to go to the most modern motherboards (since TPM is something that, in fact, has existed since 2006) to be able to have compatibility with TPM, since many of them incorporate a connector printed as “TPM”, generally located on the bottom area, near the internal USB connectors, or on the far right side of the PCB, near the 24-pin ATX connector for the power supply.
In any case, the dedicated TPM module is precisely that, a module that incorporates the cryptographic chip and that we can connect and disconnect from the motherboards at will. These devices can be purchased in electronics stores (and even on Amazon) for relatively little money (their price is usually around 15-20 euros approximately) and simply by connecting it to the motherboard you will already have what you need to run Windows 11, then of course is to enable its operation.
These chips are semiconductors but with the peculiarity that they are integrated in a tamper-proof package, so in theory they are the safest method there is. Also, the routines implemented in your hardware are more resistant to errors compared to other methods, so they also give us some guarantee of good performance and longevity.
Of course, do not trust yourself because not all TPM modules work on all motherboards. We recommend that you first read the instruction manual of your plate to make sure, but in any case you should know that the Trusted Computing Group It only certifies as valid the chips (not the modules, which means that for example you can find a module manufactured by ASRock but with an Infineon chip) manufactured by Infineon, Novoton or STMicroelectronics, AMD, Atmel, Broadcom, IBM, Intel, Lenovo , National Semiconductor, Nationz, Qualcomm, Rockchip, SMC, Samsung, Sinosun, Texas Instruments, or Winbond.
With TPM integrated into a chip on the motherboards themselves
Some motherboards directly integrate TPM on a chip soldered to their own PCB, so that instead of having a TPM connector they already have the chip without us having to worry about anything. This is known as integrated TPM, and we can find it as part of another chip (such as inside the chipset of motherboards), which is why in this case it is not necessary for the manufacturer to worry about implementing anti-tampering measures. .
They present the same level of security as the modules but have the advantage that, unlike the physical modules, we do not run the risk of losing them, hitting them or being damaged by use, so this integration could say that it is without a doubt the best for the user.
Technically, we could say that this way of implementing TPM on a motherboard is by software, but also technically we will have to go through here to make the physical modules work; By default, motherboards have TPM deactivated, so if you install a module and it does not work, it is because you must go to the BIOS of your motherboard and activate it by hand. You will generally find it in Advanced Options or in the Security section whether you have BIOS or UEFI.
In either case, the firmware implementation is known as fTPM and they are typically UEFI embedded solutions that run within the processor’s top-level trust ring. It is certainly the cheapest method to implement for the manufacturer, and in fact both Intel and AMD or Qualcomm have used it a lot in the past, although not so safe like the above methods.
This is a fairly specific type of TPM, known as vTPM or TPM for Hypervisor. We are not going to go too far into this implementation because it is designed for professional environments with virtual machines (although those of you who use the PC with virtual machines will be happy to know this), but for you to understand it in essence, TPM is implemented at the hypervisor level (ie at the hardware, firmware or software level) and it is capable of acting as a “server” for all the virtual machines that “hang” on it with a simple driver. Its level of security, yes, is at the level of the type by firmware.
TPM can also work by software on motherboards
There is also the possibility that even on motherboards that do not have any way to implement TPM, it can be run through software. It is an emulator that runs without more protection than a normal program has (and would be at the level furthest from the CPU trust rings) within the operating system, and therefore completely depends on the environment in which it is used. to run.
Therefore, this type of security is not such because it has the same vulnerabilities as any other software and even to the errors of the operating system itself, so in general you will not see TPM implementations by software on motherboards since they are only useful for development purposes (yet we put it on the list because the possibility to implement it exists).