News
New TPM specification redefines firmware security for connected devices
December 2024 by Marc Jacob
Manufacturers attach a Trusted Platform Module (TPM) onto a device to help users and administrators authenticate its identity, to generate and store encryption keys and to ensure platform integrity. Before the TPM specification was updated, users and administrators could only assume the TPM was working correctly because there was no way to cryptographically prove whether it was running an expected version of firmware. Now users and administrators have the means to cryptographically verify whether the firmware is as expected, and ensure data can be protected in any instances where it is not.
If a bug is found in a TPM implementation, the TPM may need to be patched. To do this, system administrators need to deploy the updated TPM firmware to all the affected endpoints. In some environments, system administrators would like cryptographic evidence that the update was actually received and installed successfully by the TPM.
The new specification strengthens the TPM’s ability to report such cryptographic evidence, by introducing a new feature: Firmware-Limited Objects. These objects allow TPM keys (such as the Endorsement Key, or EK) to be cryptographically (and certifiably) bound to a particular version of the TPM’s firmware. A firmware-limited TPM key is not accessible to the same TPM running a different version of the firmware. Therefore, a system administrator can use a certified firmware-limited EK to remotely check that their TPM is running the firmware version they expect.
The updated specification also gives users further capabilities relating to device security, while providing support for implementations that wish to expand the non-volatile storage capabilities of the TPM using external flash.
Through the new command ‘TPM2_PolicyCapability’, users gain the ability to gate access to a TPM object on the current reported properties of the TPM, while ‘TPM2_PolicyParameters’ makes it easier for users to craft policies that restrict the usage of TPM objects to particular commands running particular parameters.
