[SOLVED] Is TPM only a plug-in or can it be installed in a motherboard in some other way?

[johnhawk]

Looking at Asus motherboards, who said that all their new products were Win 11 ready, I noticed that the cheaper ones all had the socket for plugging in TPM modules. However the pricier workstation boards seemed to lack the socket (I checked their manuals carefully to make sure) so is it possible for manufacturers to install TPM in, say, the chipset or something else? Do they?

 

[drea.drechsler]

That's about what I was expecting to hear: it just seems to me peculiar that makers still use a socket to provide a TPM, when it is surely easier to do it in the software.
...

It may be you're wondering...as have I...why they'd use a socketed TPM device if CPU's all have built-in devices these days. I think it's for ease of decommissioning a computer after it's service life is up.

As I understand it the TPM is used for device attestation purposes: it attests that the machine is running un-altered software on un-altered hardware and operated by a user using a valid PIN, password, bio-metric, whatever. It also holds the keys for accessing BitLocker encrypted drives. It makes sense that attestation would be required by the security policy before allowing a machine on a corporate network both locally and especially remotely. It will be done at every bootup, before accessing the network and interactively whenever accessing areas with increased sensitivity. The TPM holds all the keys or hashes or whatever in a highly secure way and updates them interactively whenever an administrator makes approved changes to the machine.

Apparently, that all works the exact same whether a discrete TPM or fTPM. So it seems to me a discrete TPM becomes invaluable when it's time to decommission a system since you'd want all that removed from the machine to resell it. Removing a CPU destroys it's value...removing a discrete, socketed TPM doesn't. It can be easily done by unskilled IT helpers and takes a lot less time than clearing TPM storage since it doesn't need to power up the machine. You might even leave the drives if you use and trust the bitlocker encryption, further increasing value of the used systems. And lastly: it also makes easy auditing before the truck rolls out with the old systems: 50 systems going to auction, 50 TPM keys in hand with matching property tags.

 

[drea.drechsler]

Looking at Asus motherboards, who said that all their new products were Win 11 ready, I noticed that the cheaper ones all had the socket for plugging in TPM modules. However the pricier workstation boards seemed to lack the socket (I checked their manuals carefully to make sure) so is it possible for manufacturers to install TPM in, say, the chipset or something else? Do they?

TPM's, aka "security processor", are built in with most if not all modern CPU's so a TPM socket really isn't required at all.

The only reason I could guess why they come mainly on low-end boards is those are more likely to be used in systems a business would buy and that might also require removeable TPM modules to be compliant with their IT security plan.

 

[johnhawk]

That's about what I was expecting to hear: it just seems to me peculiar that makers still use a socket to provide a TPM, when it is surely easier to do it in the software.
Thanks for replying.

 

[drea.drechsler]

That's about what I was expecting to hear: it just seems to me peculiar that makers still use a socket to provide a TPM, when it is surely easier to do it in the software.
Thanks for replying.

To be clear, the TPM's built into the CPU's are hardware, not software. If the CPU is removed all security keys retained in it are lost, the same as removing a discrete TPM module. In so far as I can tell the only practical difference between them is in the ease of removal.

I've read there is such a thing as a software TPM but I'm not sure if it's a viable solution for Windows 11. All I've seen suggests their purpose is for TPM emulation in VM's for software development and debugging or for machines completely lacking any TPM.

 

[johnhawk]

Thanks for making that clear - I didn't realise the TPM was a hardware feature of the CPU.

 

[Colif]

ftpm, on AMD, is handled by the platform security processor that has been all Ryzen CPU for a few generations now. It is an ARM core that boots up before the actual CPU and creates the secure environment that tpm runs in. It is completely seperate to the normal cores on the CPU

I am not aware of how intel does PTT though.

There are 2 main types of TPM, Discrete and Firmware.
Discrete is an actual chip on the motherboard
Firmware is built into your CPU so no chip required
AMD refer to fTPM by its proper name while Intel 's name for fTPM is Platform Trust Technology

Info - Win 11 Requirements and what you can do to resolve problems

Windows 11 requirements needed to Install Basic Essentials CPU - Dual core or better at 1ghz or faster, 64bit processor RAM - 4gb Storage - 64gb or more GPU - DX 12 capable Display Over 9" with 720p Extra essentials Secure Boot UEFI boot method Trusted Platform Module 2 Certain Intel & AMD...

forums.tomshardware.com

I should have added software but its not really used by WIn 11, it has discrete or Firmware as choices.

 

[drea.drechsler]

That's about what I was expecting to hear: it just seems to me peculiar that makers still use a socket to provide a TPM, when it is surely easier to do it in the software.
...

It may be you're wondering...as have I...why they'd use a socketed TPM device if CPU's all have built-in devices these days. I think it's for ease of decommissioning a computer after it's service life is up.

As I understand it the TPM is used for device attestation purposes: it attests that the machine is running un-altered software on un-altered hardware and operated by a user using a valid PIN, password, bio-metric, whatever. It also holds the keys for accessing BitLocker encrypted drives. It makes sense that attestation would be required by the security policy before allowing a machine on a corporate network both locally and especially remotely. It will be done at every bootup, before accessing the network and interactively whenever accessing areas with increased sensitivity. The TPM holds all the keys or hashes or whatever in a highly secure way and updates them interactively whenever an administrator makes approved changes to the machine.

Apparently, that all works the exact same whether a discrete TPM or fTPM. So it seems to me a discrete TPM becomes invaluable when it's time to decommission a system since you'd want all that removed from the machine to resell it. Removing a CPU destroys it's value...removing a discrete, socketed TPM doesn't. It can be easily done by unskilled IT helpers and takes a lot less time than clearing TPM storage since it doesn't need to power up the machine. You might even leave the drives if you use and trust the bitlocker encryption, further increasing value of the used systems. And lastly: it also makes easy auditing before the truck rolls out with the old systems: 50 systems going to auction, 50 TPM keys in hand with matching property tags.

 

[johnhawk]

I think that clears up the matter, so thanks to both of you for replying.