Trusted Platform Module (TPM, also known as ISO/IEC 11889) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys.
It is used to generate a password safely in a system. It avoids generating a password in an external system and having to transport it from one to another.
TPM may need to be activated in the BIOS or UEFI. It may also to be updated. As of 2023, latest version of TPM is 2.0.
TPM is specific to operating systems like Microsoft Windows and Linux.
Each platform adopts a system that provides similar cryptoprocessor security:
- Trusted Platform Module (TPM): Microsoft Windows, Linux
- The Secure Enclave: macOS
- Chip Google Titan M: Google Pixel 3, 3 XL, 3a, 3a XL and 4 smartphones
- Samsung Knox: Samsung smartphones
TPM on Linux
Linux OS exposes low-level programmatic access to its TPM 2.0 devices via /dev/tpm0 or /dev/tpmrm0 device file abstractions.
TPM on Microsoft Windows
Windows 10/11 OS uses TPM chip for at least the following functionality:
- BitLocker drive encryption
- Windows Virtual Smart Card feature
- Platform Crypto Provider
The TPM chip helps to ensure the integrity of early startup components by ensuring that no modifications have been made to the trusted boot path, such as BIOS, boot sector, and boot manager. Once the TPM has verified that there are no changes, it releases the decryption key to the Windows OS Loader. If TPM does detect changes, it locks any BitLocker-protected volumes, so they remain protected even if someone tampers with the computer when the operating system is not running.
Windows OS expose low-level programmatic access to its TPM 2.0 device via TPM Base Services (TBS) API.
TSS.MSR is an open-source library developed by Microsoft to access TPM functionality. It is available for .NET and C++:
- Monty Wiseman; “What Is The TPM (Trusted Platform Module) And Why Is It Important?“; Beyond Identity
- Microsoft; “Evaluate BitLocker and TPM“; Microsoft