Firmware TPM vs Hardware TPM

[FreZZ7]

Hello Guys,

 

have anyone a chart that describes the differences between a ftpm vs a dedicated tpm (not how it works but what you can do/what problems could accure). Once i saw a list with with this you can change cpu with this you have a problem if you want to change you're MB and so on. Sadly i can't find it again. Sorry for this easy question but all i find in the web is all about Windows 11 and the tpm requirement and not wether you should chose a ftpm or a hardwear one and why.

Thanks for the help

[GoodBytes]

5 hours ago, FreZZ7 said:

Hello Guys,

 

have anyone a chart that describes the differences between a ftpm vs a dedicated tpm (not how it works but what you can do/what problems could accure). Once i saw a list with with this you can change cpu with this you have a problem if you want to change you're MB and so on. Sadly i can't find it again. Sorry for this easy question but all i find in the web is all about Windows 11 and the tpm requirement and not wether you should chose a ftpm or a hardwear one and why.

Thanks for the help

I don't have a table.

 

But I'll keep it short:

Summary:

• For the majority of people, it doesn't matter, there is no difference between the two.
• Windows has many security features who can operate with or without a TPM enabled system, however it is more secured with one. It doesn't care if the TPM is a dedicated user replaceable chip, soldered on chip or firmware TPM. Windows support them all, all in the same way. For more info: https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/tpm-recommendations

Run down:

• Dedicated TPM consumes more power over fTPM solution (at least on paper, if thee is a screw up by a CPU manufacture, then that is a different story). In addition, it takes more space on the PCB (issue for tablets, phones, and laptops where space is an issue). While TPM chip consumes little power, you are still powering an additional hardware on the system which can affect battery life, especially on compact devices where the battery needs to be small.
   
• Dedicated TPM is certified by the motherboard manufacture (Make that OEM manufacture for pre-builts). fTPM is certified by the CPU manufacture.
   
• If a security issue has been discovered on the fTPM side, it requires motherboard manufacture support for making and releasing a BIOS/UEFI update with the updated CPU micro-code by AMD/Intel and may require user intervention to update the system BIOS/UEFI to get that new micro-code with the security fix. This makes keeping devices up-to-date very difficult, let alone for the mass number of users who aren't following tech news.
   
• As you mentioned, a dedicated TPM chip allows CPU swapping on desktops/server side without worrying about anything using the TPM chip. That said, CPU failure or even upgrade is actually rare. On the consumer end, you just need to make sure you have your BitLocker Encryption key (stored in your MS account profile, and be recovered from another PC by just going to account.microsoft.com, login and go to devices) if you use this feature (disabled by default, only avail on Pro and up), and make sure you enable password login (beside PIN), if you use Windows Hello. That said, TPM could be used to validate the UEFI of the system, so replacing either, dedicated or not, might be a problem.
   
• If the dedicated TPM is soldered on the motherboard, then a board replacement will cause the same issue as noted above, and precaution before board swapping would be needed.
   
• As for which is more secure... a dedicated fTPM is said to be "more secure" in the sense that the firmware can't be updated, as it has none. That said, fTPM can't be listened too by poking the chip, it's connector (if removable) or simply poke the PCB traces as it isn't really a chip and all mostly-"software" solution in the CPU. No proof exists that it would indicate that one is more secure than the other.
   
• A dedicated TPM doesn't consume CPU to maintain TPM feature. Normally, there is no visible performance hit as it is so minimal (TPM is very simple to do for a CPU, even an entry level Celeron grade CPU should show no performance differences). However, it has been found that fTPM on AMD side, on SOME motherboard, causes notable performance issues. Some managed to deliver an update to fix it, others don't seem to care to issue a fix, it seems. I don't know what is going on the back to cause this. AMD has no statement, motherboard manufacture gives no statements either (they might not have the know-how to actually fix the problem, that is a possibility). OS installed doesn't matter. It affects all OSs Windows like Linux based OSs, the moment it is enabled. The lucky ones who has boards that face the issue and have a connector for a dedicated TPM chip, can go that route to solve the problem. This highlights the support issue highlighted previously.
   
• Dedicated TPM has an additional cost (the chip and engineering required to implement the chip).

This is where Microsoft Pluton chip comes in to help on some front, being a dedicated chip that is integrated in the CPU.

• Its firmware is maintained by Microsoft and updatable via Windows Update (probably Win11). This solves the problem with motherboard manufactures and OEM who offers only limited support after the product is released.
• This also means that AMD/Intel/Qualcomm/MediaTek doesn't need to worry about it.
• Being a separate chip in the CPU, it is essentially a "drop-in" solution for CPU manufactures. There is still work, of course, hence the quotes on the word: drop-in, as it has requirements and needs to communicate with the CPU, but much less work. 
• Can emulate TPM chip for compatibility purposes with older OSs or different OSs (should be an option in the UEFI, if OEM or motherboard manufacture choose to provide)

At the moment we don't know if Linux support is a thing for Microsoft Pluton. In the short term, probably would need to go in the UEFI and set the Pluton chip to act as a TPM chip, to have this feature working.

 

Is there a competitor to Microsoft Pluton? Kinda, yes: OpenTitan, back by Google, Western Digital, Seagate, Nuvoton, Winbond, lowRISC, ETHz and GD. It aims to be an open source solution, but aims more to be a replacement to the dedicated TPM rather than anything else, at least so far.

 

 

[FreZZ7]

I'm now realising i should have provided more context. Usally i dont like it/hate it when i search for stuff and forums/questions are for specific cases and not generall stuff so you can apply it to you're own case.
First of all thanks so much for the detailed answer! Some explanations were "unnessesary" beacsue i already know it, but i still appreciate it. How can you know what i know/don't know.

So i'll desribe my whole plan.

Explanation:
1)I'm on unactivated windows 10 atm. I have 1 SSD Boot drive ("A"). I bought 2 new ssd's -> "B" and nvme that will become my boot drive. "C" same model as "A" that will become a raid one on my pi nas.
2)Additionally CPU and GPU upgrade are already planned but not fixed on a certain date. Right now i got a Ryzen 1600 and i might change to a 3800x (brother might ditch it) or i'll go for a Zen 3 Cpu. (My motherboard is compatible- might need a bios update if i go for something like a 5800X3D-> in case you don't trust my research: https://www.gigabyte.com/Motherboard/B450M-DS3H-V2-rev-1x/support#support-cpu)-> little sidequestion there: I heard due to the fact of limited storage of motherboard itself some can support only a limited amount of Cpu generation on the same time/with one bios and if you get a to new Bios you might lose comptibility for an old generation. Is that true? Does anyone know if that's the case for my one? For me it looks like no, but im not sure...
Before anyone says "you should not try to time you purchase of a new cpu/don't hold on": i don't need a new cpu right now. i don't expect to "need" it in the short term aswell. There are 3 reasons im planing it: 1.Eventually if enought time passes i need/benefit from a new cpu 2. An APU would be nice to have a backup in case something is wrong with my GPU (pls no comments on APU worse value or something like this) 3. My current CPU was/is secound hand, generally i don't have a problem with it but i already had one of my cpu's acctually die on me casue it was VERY old^^. My 1600 could already be 5 years old and it would be very unlucky and unfortunate if it breaks and a new cpu isn't too expensive so it would be nice to prevent this prior to that. Last time my CPU died from one to another day and it realy disrupted my life becasue i require a pc everyday and i hadn't a pc for ~5days :/. Nowadays i could handle such a thing better so the "risk reward" (of not wrasting money on a new cpu before i need it/it's super affordable) is calculatable.
3)Additionally to all the hardwear changes that are predictable i have 2 brothers and we exchange hardware from time to time in case it makes sense aswell.

4)As far as my understanding goes a windows activation doesn't like it to much if you exchange hardware to often, so i try to keep it on a minimum amount.

5)I want to go win 11 (even so it ísn't perfect/nessesary for ryzen cpus) becasue of the features (like fancy zones nativ implemented, better multimonitor support and some other stuff) and right now is a good moment for me to change operating systems casue i need to change drives anyways becasue of the nas.

6) My current opperating drive ("A") should become with the new same model drive ("C") my mirrow/raid 1 drive of my pi nas, while the nvme drive ("B") i bought becomes my new drive with the opperating system.

7)I don't know if i want/can use a tpm casue im on a unsupported cpu (ryzen 1600). I don't know if it works with the order i have planned to do things. Usually i would say i don't realy need a tpm/the securety features. I have not planned on using bitlocker or anything but as Linus said "free/more securety is always better". Im not quite there how exactly the tpm secures the oprating system itself. That's was makes me unsure about the plan. Becasue i would like to have the tpm protecting my operating system but at the same moment i wonder if i can enable it with the order i have planned to make the transition from currecnt opperating drive to the new drive. I'm pretty sure i won't make it in one go and split the work in several days while i still need my old setup to work.

 

Timeline:

1) I disconnect all the drives from my Pc, do a bios update, connected only the NVME ("B") drive and install win 11 on it (can you install windows 11 without a activation key at first aswell?) . I want to use it with the "RAID" protokoll (mainly casue who knows what ideas comes to my mind- am i right that i need to download the raid drivers from the MB on a USB-Stick and install it along it/at the same moment i install win11?).

Due to the fact i dont know in how many days i do all of that i want to be able to swap back to my "old" setup. Can i just disconnect the NVME ("B") drive, connect my old drives("A), change the protokoll back to ACHI (if im not mistaken i can chose the protokoll of the nvme interface indepentedently on my motherboard of the protokoll of my sata interface) and use my pc? Once i tryed palying around with raid and stuff and it completely ripped my pc/boot drive even though i swapped everything back to the old configurations of the motherboard (nowadays i think i know what went wrong).

2)Transfer all the data of my old operating drive ("A") to my new opperating drive ("B") temporarely.

3)Create the Nas/Raid with my old operation drive ("A") and the other new aquired drive of the same model ("C")

4) Transfer back the backuped data from my new operation drive ("B") to the nas

 

[GoodBytes]

8 hours ago, FreZZ7 said:

little sidequestion there: I heard due to the fact of limited storage of motherboard itself some can support only a limited amount of Cpu generation on the same time/with one bios and if you get a to new Bios you might lose comptibility for an old generation. Is that true?

It depends on the motherboard. Typically they use 16 MB chips for the BIOS/UEFI.

16MB chips are widely used for motherboard and many other applications, so the chip is really inexpensive, hence why it is being used.

In the motherboard space, considering that Intel tend to require often motherboard replacement due to frequent socket changes, 16MB has never been an issue.

 

AMD and it's long standing AM4 socket is unique for motherboard manufacture. They never expected AMD to actually follow through, or have other requirements would cause issue with current boards, or just not have that many CPUs per generations. I am not sure if now they use 32MB memory chips these days, at least on the premium motherboards or not. Also, keep in mind also that UEFI has lots of graphics, and those are compressed and stored in that same 16MB space. Some motherboard manufacture drop less older CPUs, in exchange of having no more the 'pretty' UEFI interface, and reverts back to the imageless one of the olden days that we often associate with the "old BIOS look".

 

What CPU will be drop for this new CPU support (if required), we don't know.

 

8 hours ago, FreZZ7 said:

4)As far as my understanding goes a windows activation doesn't like it to much if you exchange hardware to often, so i try to keep it on a minimum amount.

Windows 10 and 11 have no problems with hardware changes. The issue comes with driver conflicts. That is up to you to ensure that you remove old drivers properly to ensure proper system operation. "Clean install" is often suggested as it is a simple, sure way to ensure that there is no problem. This is more the community trying to be the most helpful (while it might look like), so that the user has a more ensured good experience out of their system. Also, as the community in general doesn't know the exact history of the system (did it get any virus? was a tweak tool installed? Is it using pirated software who might do other things on the system? was a registry cleaner used, etc.), it is hard to predict anything and difficult to assist one online if issues comes up. That is all.

Also, as driver uninstallers (and uninstallers in general for the majority of software) tend to be crappy at... uninstalling (basically not much care is done on them), ensuring complete, proper, removal can be difficult, and might requires manual intervention to remove the rest. So again, clean install is recommended as it is just easier. Also, in a way, it forces users to do backups, which is always nice to do.

 

8 hours ago, FreZZ7 said:

6) My current opperating drive ("A") should become with the new same model drive ("C") my mirrow/raid 1 drive of my pi nas, while the nvme drive ("B") i bought becomes my new drive with the opperating system.

The partition that Windows is installed on will always identify itself as C:\ drive by default.

Drive letters is a Windows specific thing (well, ok: DOS too, technically) to simplify the user experience in interacting with the system.

There is a good chance that the drive letters will be reordered. They can be changed via Disk Management utility once Windows is installed. Do so before installing any programs or changing folder links to other drives.

 

8 hours ago, FreZZ7 said:

7)I don't know if i want/can use a tpm casue im on a unsupported cpu (ryzen 1600). I don't know if it works with the order i have planned to do things. Usually i would say i don't realy need a tpm/the securety features.

Windows 11 requires TPM 2.0.

While they are work around, it is something you'll fight with with every Windows 11 build release.

As posted in the link in my last post (scroll down to the table) TPM enhances security of Windows 10/11 when enabled. Microsoft wants all its system to get those security benefits for Windows 11.

 

As for the CPU not being supported, Windows 11 will install (assuming you have TPM 2.0) you'll just have a warning (if you upgrade from 10 to 11) that you get what you get. Microsoft offers you no support, and no guaranty that would have access to all updates including security ones. Basically, engineers will no longer consider non-supported CPUs. They won't be tested either. So if you have BSODs, or issues, you are on you own. Security fixes in the future might use CPU features that your current CPU doesn't support, and that might be a problem for the OS to work, and so, you won't be able to get it. It has yet happen, it might never happen. Microsoft is just keeping the door open for itself. That is all.

 

8 hours ago, FreZZ7 said:

I have not planned on using bitlocker or anything but as Linus said "free/more securety is always better".

Bitlocker is more if having your computer stolen and contains sensitive info is an issue. For example, work laptop. This is something that can be stolen from you in various ways.

Your desktop PC might be stolen, if crime rate in your area might be an issue in this regard. Or contains sensitive information that you are responsible for, and all precautions needs to be token.

 

8 hours ago, FreZZ7 said:

Im not quite there how exactly the tpm secures the oprating system itself.

It is mentioned in the doc I link. They are variety of features, like Windows Hello, who while works without TPM, will be enhanced in its security with TPM.

 

8 hours ago, FreZZ7 said:

1) I disconnect all the drives from my Pc, do a bios update, connected only the NVME ("B") drive and install win 11 on it (can you install windows 11 without a activation key at first aswell?) .

There is no letter drive in the Windows Setup screen. You have drive IDs and partition IDs only. Once you start Windows 11, your "B" drive will be "C" any additional drives added will "up" a letter in the alphabet. So assuming you don't have an optical drive or card reader, and each drive have 1 partitions, your second drive will be label D:, then the following one will be E, and so on. As mentioned, these can be changed in Disk Management utility of Windows.

 

8 hours ago, FreZZ7 said:

I want to use it with the "RAID" protokoll (mainly casue who knows what ideas comes to my mind- am i right that i need to download the raid drivers from the MB on a USB-Stick and install it along it/at the same moment i install win11?).

If you are on a RAID environment you may need the RAID controller drivers to detect those drives when you install Windows 11 if they don't show up on the drive/partition you want Windows to be installed on. If you plan to have your NVMe drive to have Windows, and not be in a RAID config, and your RAID is for, say, your data drives which is separate, then you are fine to install those drivers after Windows 11 is installed.

 

8 hours ago, FreZZ7 said:

Due to the fact i dont know in how many days i do all of that i want to be able to swap back to my "old" setup. Can i just disconnect the NVME ("B") drive, connect my old drives("A), change the protokoll back to ACHI (if im not mistaken i can chose the protokoll of the nvme interface indepentedently on my motherboard of the protokoll of my sata interface) and use my pc?

To my knowledge, you cannot switch between a RAID configuration and out as you please. But I am not a Storage expert. This is a question that should be asked for the Storage forum section. Ignoring RAID, yes you can switch drive to switch OS that way. Or change the boot order, or have both NVMe drive and your SATA drive connected, and installed Windows 11 on your NVMe, and that should make Windows Setup detect your SATA Windows 10 install, and generate a dual boot menu selection screen when you start your computer. You can also play with your motherboard boot order menu as another choice. Many ways to do things as you can see.

 

8 hours ago, FreZZ7 said:

Once i tryed palying around with raid and stuff and it completely ripped my pc/boot drive even though i swapped everything back to the old configurations of the motherboard (nowadays i think i know what went wrong).

2)Transfer all the data of my old operating drive ("A") to my new opperating drive ("B") temporarely.

3)Create the Nas/Raid with my old operation drive ("A") and the other new aquired drive of the same model ("C")

4) Transfer back the backuped data from my new operation drive ("B") to the nas

That question is for the Storage forum section. I don't want to provide false or incomplete information.

[FreZZ7]

Okay sorry guys im realy not good in asking questions in a forum. I realised the thing i acctually want to know is: Which hardwear componants can/can't i swap with a firmware/hardwar tpm?- Is there something to do before i do it (like transfer a key or something) or is it "plug and play". My main focos is about 1.changing cpu in case of upgrade 2. chaging motherboard in case of failure 3. change of storage because of reasons xd.
thanks for any advice

[SydneyBrokeIt]

The big one is BitLocker on Windows - which is non-transferrable, I believe, but you can disable it, swap, re-enable it.

[FreZZ7]

4 hours ago, SydneyBrokeIt said:

The big one is BitLocker on Windows - which is non-transferrable, I believe, but you can disable it, swap, re-enable it.

my question is which hadwear component i can/cant exchange not which features i can use.
Do i understand it correctly you mean i can exchange storage but only if i disable bitlocker priore to storage exchange?

 

[GoodBytes]

2 minutes ago, FreZZ7 said:

my question is which hadwear component i can/cant exchange not which features i can use.
Do i understand it correctly you mean i can exchange storage but only if i disable bitlocker priore to storage exchange?

 

It depends on what you are using TPM for, and which type of chip it is (dedicated TPM or fTPM/Pluton)

Dedicated removable chip:

• A software using TPM for encryption such as Windows BitLocker:
  • You can change anything beside:
    • Drive that is being encrypted, assuming you care about the data (you can put the drive back, if you wonder to decrypt it back)
    • TPM chip (obviously, as it has the key to decrypt)

Dedicated soldered on chip:

• A software using TPM for encryption such as Windows BitLocker:
  • You can change anything beside:
    • Drive that is being encrypted, assuming you care about the data (you can put the drive back, if you wonder to decrypt it back)
    • Motherboard (as it has the TPM chip soldered to it)

fTPM/Pluton chip:

• A software using TPM for encryption such as Windows BitLocker:
  • You can change anything beside:
    • Drive that is being encrypted, assuming you care about the data (you can put the drive back, if you wonder to decrypt it back)
    • Changing the CPU

Keep in mind that for OEMs, things are more complicated, as they may use TPM / fTPM / Pluton to lock the UEFI/BIOS as a type of digital signature. (it can be upgraded but has a process that needs to be followed. This is to avoid malware take advantage of a possible security leak and embedded malware to teh UEFI/BIOS chip), and again, things changes, all based on the OEM implementation. That said, typically, we are talking about OEM workstations and servers, so usually you'll be dealing with through the OEM warranty. I mean, you would be in a company as IT, dealing with this, and considering that some servers can easily cost 20k, probably you, as a buyer, would pony up the 5+ year warranty for a few bucks (in comparison) more. Companies tend to get the max and extended support afterwards. So IT tend to not directly have anything directly to really worry about.

 

 

[GoodBytes]

I forgot to mention, you can clear the TPM key(s) stored in itself. Doing so will so will make whatever TPM has been used for, no longer work.

So for example, if you used Windows Hello, and you clear the keys, then you won't be able to login to your system anymore.

 

If you used BitLocker, then your data is considered gone. The encryption is too strong to decrypt it. Now, for this particular case, there is a key being backed automatically to your Microsoft linked account (if you are using it), and that key can be used to recover the data... yes, it is seen as a security weakness, as, well, it is... but BitLocker isn't aimed government, highly sensitive information type thing. It is just so that, if you are at a coffee shop, and your laptop is stolen, your data can't be extracted (unless your password of the system is weak, or you you have auto-login or no password... obviously), type of situation. 

[FreZZ7]

To confirm i understood everything correctly i have some further questions:

 

On 3/13/2022 at 6:24 PM, GoodBytes said:

Dedicated removable chip:

you mean the tpm moduel that get plugged in the tpm header of the motherboard, right?

On 3/13/2022 at 6:24 PM, GoodBytes said:

• You can change anything beside
  • You can change anything beside
    • You can change anything beside:

 so i can even change the drive with the os installed as long it isn't encrypred?

On 3/13/2022 at 6:24 PM, GoodBytes said:

Changing the CPU

3. So with a fTPM/Pluton chip no matter what i do if the motherboard recognize a different cpu it refuses to work? what would happen if i install the cpu in a different motherboard? Does the cpu refuse to work in a foreigen motherboard then?

 

 

Additionally:

4. Is there any benefit what so ever if i „don't use the tpm for anything (manually)“? I think to remember something like certificate recognition from websites/drivers but i could be completely wrong on that.

 

[Secure Boot

First seen in Windows 8, UEFI’s Secure Boot is familiar to those responsible for a Windows client environment. Secure Boot is used to verify that the bootloaders for the OS are trusted, and not compromised by something like a bootkit.  Another capability, Trusted Boot, also protects start-up by continuing integrity checks for system files and drivers, the kernel, and Early Launch Anti-Malware (ELAM), then sending results to the TPM.]

->So this also work even if the drive with the drive on it isn't encrypted? Can i still put the drive in another pc to read out the data and i just get a warning that the pc isn't trusted?

[GoodBytes]

On 3/17/2022 at 6:47 AM, FreZZ7 said:

you mean the tpm moduel that get plugged in the tpm header of the motherboard, right?

Yes

On 3/17/2022 at 6:47 AM, FreZZ7 said:

 so i can even change the drive with the os installed as long it isn't encrypred?

Correct

 

On 3/17/2022 at 6:47 AM, FreZZ7 said:

3. So with a fTPM/Pluton chip no matter what i do if the motherboard recognize a different cpu it refuses to work? what would happen if i install the cpu in a different motherboard? Does the cpu refuse to work in a foreigen motherboard then?

I don't know. I don't have the hardware to test it.

 

 

On 3/17/2022 at 6:47 AM, FreZZ7 said:

Additionally:

4. Is there any benefit what so ever if i „don't use the tpm for anything (manually)“? I think to remember something like certificate recognition from websites/drivers but i could be completely wrong on that.

TPM will be used automatically by Windows Hello feature set, under Windows 11.

Windows 10 will use TPM for "Windows Hello Business" (basically, in a company environment with domain joined system).

 

On 3/17/2022 at 6:47 AM, FreZZ7 said:

[Secure Boot

First seen in Windows 8, UEFI’s Secure Boot is familiar to those responsible for a Windows client environment. Secure Boot is used to verify that the bootloaders for the OS are trusted, and not compromised by something like a bootkit.  Another capability, Trusted Boot, also protects start-up by continuing integrity checks for system files and drivers, the kernel, and Early Launch Anti-Malware (ELAM), then sending results to the TPM.]

->So this also work even if the drive with the drive on it isn't encrypted? Can i still put the drive in another pc to read out the data and i just get a warning that the pc isn't trusted?

Yes that is correct.

Note: Secure Boot isn't a Windows feature. It is a UEFI feature.
Windows 8 is just the first version of Windows that support it (among all other UEFI feature set)

[FreZZ7]

Im just now realising that i could install windows 11 without tpm and maybe just enable it later, am i right?
 

[ugnyteaa]

Even dedicated TPM modules are heavily supported by software, your CPU usually has a separate ARM core that acts as a security processor (PSP on AMD and ME on Intel), that processor constantly is running a program that's helping the hardware TPM work.