What is TPM?
TPM (Trusted Platform Module) provides for a way to generate and store an encrypted access key at a hardware level for authenticated access to sensitive applications and data.
This private key never leaves the TPM chip and is generally available only to authorized system administrators and enables remote assurance of a system’s security state.
Why TPM 2.0?
Important security advantages are standard in TPM 2.0 when compared to its predecessor TPM 1.2.
Let's take a closer look.
- The introduction of new algorithms
According to Microsoft, the update to the Trusted Platform Module allows users greater support for newer algorithms.
For anyone in the SSL Certificate business, that's music to the ears. Due to the increase in computing power and the feasibility of breaking the SHA-1 hash, plans to move away from the outdated technology has been in the works a few years now.
As of late 2017, Microsoft and Google both decided to remove support for SHA-1 and the move to SHA-2 (256 specifically) has been well underway since.
- Centralized lockout logic - finally!
TPM 1.2 implements a vendor-specific lockout logic. This means that even the same vendor with different TPM models may have different numbers implemented, quite a cumbersome and complicated process.
TPM 2.0 lockout procedure for possible PIN failures is now controlled by Windows!
Microsoft defined TPM 2.0's maximum number of failed attempts at 32 where each single attempt is forgotten after 2 hours. All configured at the OS at the time of taking ownership of the TPM itself.
- TPM implementation methods
The majority of TPM 1.2 implementation techniques involve soldering the parts to the motherboard. Today we call this the 'discrete TPM implementation' method.
TPM 2.0 offers 2 more options: Integrated and Firmware.
Microsoft explains it best, now you can include a dedicated hardware that's integrated into one or more semiconductor packages alongside, but separate from, other components (Integrated).
Another option is to run the TPM in firmware in a Trusted Execution mode of a general purpose computation unit.
Okay, let's dive into the TPM 2.0 implementation project...
The military prime integrator approached Trenton Systems about designing a low cost, add-on board that would enable TPM 2.0 on the MCXT processor board which Trenton Systems released over a decade ago.
This would not only meet the DoD security requirement, it will likely double the lifespan of these old (yet fully functional) processor boards and save up to $10M in hardware costs. (testing, labor, NRE, install, etc.)
So, we took an existing product and modified it to fit the customer's needs. Take a look at the mechanical connector diagram:
Our military prime customer will be able to plug the new IOBTPM2 into their board and have full TPM 2.0 access on existing hardware that's been in service for over a decade!
The customer saved close to $10M and will receive their final product ahead of schedule.