• Resources
  • Directory
  • Webinars
  • CAD Models
  • Video
  • Blogs
  • Advertise
    • Seemanta Dutta, Dreamstime.com
    Computer Seemanta Dutta Dreamstime L 222102446 60edbbb812da2
    1. Blogs
    2. alt.embedded

    Tippecanoe and TPM 2

    July 13, 2021
    What is the connection between Trusted Platform Module 2.0 and Microsoft Windows 11?
    Related To: Electronic Design

    What you’ll learn

    • Who is Tippecanoe?
    • What is a secure element?
    • What is a Trusted Platform Module?
    • What does TPM 2 have to do with Microsoft Windows 11?

    If you’re wondering, this article is about Microsoft’s upcoming Windows 11 and its potential requirement for a Trusted Computing Group’s Trusted Platform Module 2.0 (TPM 2.0). Windows 11 is still in a state of flux, which means things may change, but it’s worthwhile talking about TPM 2.0.

    The title of this article is a takeoff of “Tippecanoe and Tyler Too,” which was the slogan in the 1840 United States Presidential campaign. Tippecanoe was the nickname for the Whig candidate, William Henry Harrison, the “hero” of Tippecanoe, a battle that occurred in 1811. As noted in more than one article, “Few American political slogans have been such unadulterated demagoguery.”

    The use of TPM with Windows 11 may be less controversial, but it’s an issue for many if the requirement holds. Those with newer hardware may not experience any impact, as TPM has been the norm for most laptops and PCs. However, it’s still an option on embedded motherboards.

    Windows 10 and earlier versions are used in a significant number of embedded systems, and Windows 11 will be no different. Unlike consumer and enterprise versions, the embedded market tends to have more control over what’s installed, so TPM may or may not be a requirement for embedded systems.

    What is TPM 2.0?

    As noted, TPM 2.0 is a standard—ISO/IEC 11889—from the Trusted Computing Group. It’s a “secure element,” which is a secure microcontroller with on-board storage and encryption hardware that’s usually protected from physical and electrical tampering. It normally supports a public/private key system, with each chip having its own private key on-board. This uniquely identifies the secure element and provides it with a way of authenticating any transactions.

    A secure element can be a standalone device; actually, many are implemented in this fashion. They can have different interfaces, and it’s possible to get a TPM unit as a USB dongle that can plug into many PCs, providing a possible mechanism for supporting Windows 11 should the requirement for TPM 2.0 remain.

    Secure elements also can be incorporated into a larger chip, which is becoming more common. Secure elements may be found inside FPGAs, microprocessors, and other devices, too. This creates a more secure system and reduces the attack surface, since communication between the host and the secure element is on-chip rather than being between chips.

    TPM isn’t the only secure element on the market. In fact, secure elements have been around a lot longer than TPM. The main thing that TPM brings to the table is a standard set of features and a standard way of accessing them. This includes functions such as authentication, attestation, and secure key storage. On-chip encryption hardware and a hardware-based random-number generator are usually part of the mix as well.

    Many IoT devices utilize secure-element chips connected to microcontrollers and other devices. Likewise, less complex secure elements have been incorporated in microcontrollers. Connection to IoT platforms like Amazon’s AWS, Microsoft’s Azure, and others normally requires secure-element functionality. TPM is often one of the options available to developers.

    Secure Elements and Secure Boot

    A secure element can be a root-of-trust (RoT). A RoT is needed to implement a secure boot. The key used to verify the secure-boot code is typically stored in the secure element. This key isn’t the secure element’s private key, but rather a key that matches the one used to digitally sign the secure-boot code. The verified code is then used to boot the system.

    A secure-boot system normally starts with a small boot loader and progresses to more complex boot code and device drivers. These also can be digitally signed and verified during the boot process. Furthermore, this security chain can be extended to verify additions and updates.

    Note that secure boot and TPM aren’t paired requirements, although TPM can be used as the secure element for a secure-boot process. I have a motherboard that provides Windows 10 secure boot, but it doesn’t have TPM, or at least the board doesn’t expose it.

    Secure Elements and Digital Rights Management

    Secure boot is just one use of a secure element. Digital rights management (DRM) is another, and along with system authentication, it’s probably why secure elements are incorporated into a system.

    DRM is typically used to restrict the use, modification, and distribution of copyrighted works such as multimedia content (e.g., movies). It also can be applied to music, eBooks, computer programs, and just about any digital content.

    A secure element is able to store keys for individual items. However, the storage capabilities of most secure elements tend to limit the number of keys that can be used. So, instead, it’s more common to have those keys stored outside the secure element, but digitally signed with the key being managed by the secure element. This way a secure-boot system could have the secure element verify the state of the digitally signed block before the keys are used.

    DRM has been employed to lock down everything from Philips lightbulbs to John Deere tractors. It’s part of the discussion about the right to repair and right to replace devices and software.

    Once upon a time, only security experts knew about secure elements. Now the technology is required by everyday devices. Secure elements are part of every smartphone, but most users are unaware of that fact. TPM and Windows 11 is bringing some of this to light for more people.

    About the Author

    William G. Wong | Senior Content Director - Electronic Design and Microwaves & RF

    I am Editor of Electronic Design focusing on embedded, software, and systems. As Senior Content Director, I also manage Microwaves & RF and I work with a great team of editors to provide engineers, programmers, developers and technical managers with interesting and useful articles and videos on a regular basis. Check out our free newsletters to see the latest content.

    You can send press releases for new products for possible coverage on the website. I am also interested in receiving contributed articles for publishing on our website. Use our template and send to me along with a signed release form. 

    Check out my blog, AltEmbedded on Electronic Design, as well as his latest articles on this site that are listed below. 

    You can visit my social media via these links:

    I earned a Bachelor of Electrical Engineering at the Georgia Institute of Technology and a Masters in Computer Science from Rutgers University. I still do a bit of programming using everything from C and C++ to Rust and Ada/SPARK. I do a bit of PHP programming for Drupal websites. I have posted a few Drupal modules.  

    I still get a hand on software and electronic hardware. Some of this can be found on our Kit Close-Up video series. You can also see me on many of our TechXchange Talk videos. I am interested in a range of projects from robotics to artificial intelligence. 

    Email

    Continue Reading

    Sponsored Recommendations

    Comments

    To join the conversation, and become an exclusive member of Electronic Design, create an account today!