For years, the last word in securing personal computers, industrial PCs and servers has been the Trusted Platform Module (TPM) specification. TPM established a set of standards and interfaces that enable system makers to bake their digital bona fides into system hardware.
By employing unique cryptographic keys burned into physical media soldered directly onto the motherboard, TPM creates what is known as the “root of trust.” From that foundation, operating system makers like Microsoft can enable secure, whole-disk encryption to lock up data even if a disk is removed, and enable system checks that verify low-level boot code before allowing it to execute.
This model for system security got a face-lift when Intel introduced the Intel Platform Trust Technology (PTT) architecture, which implements TPM in system firmware. To your operating system and applications, PTT looks and acts like TPM. The difference is, PTT doesn’t’ require a dedicated processor or memory. Instead it relies on secure access to the system’s host processor and memory to perform low-level system authentication and verification.
The result: TPM is being deployed on low-power PCs, tablets and other devices that in the past could not bear the additional cost, complexity, power consumption or required physical space that comes with hardware-based TPM.
TPM is currently in version 2.0, and its role has become more vital as cyber threats continue to target the lowest levels of system operation—including the Master Boot Record, system firmware and operating system files—where traditional anti-malware solutions can be vulnerable.
TPM works by storing protected key information in a tamper-proof chip that includes a unique Endorsement Key baked into the silicon at manufacture—like a digital fingerprint—to authenticate host system hardware. A dedicated cryptographic microprocessor processes key data and verifies the integrity of low-level system assets like boot files and system firmware. If a change is detected, TPM prevents the compromised files or software from loading, halting attacks before they can start.
Implementing TPM in dedicated hardware has a key benefit. TPM isolates the security infrastructure from the host system, making it exceedingly difficult to spoof, tamper or defeat. But it adds cost and complexity to system designs, which means that a lot of devices that could benefit from this level of security, simply don’t have it.
Inside Platform Trust Technology
That shortfall is changing with firmware-based implementations of TPM. Intel’s PTT was Introduced in 2013 on select fourth-generation Intel Core processors and chipsets, including Intel Haswell ULT multichip packages, as well as on Atom-based, system-on-a-chip solutions like Bay Trail. PTT enables low-cost and low-power devices to support the same root of trust concepts enabled by hardware-based TPM. Furthermore, it supports all of Microsoft’s requirements for firmware Trusted Platform Module (fTPM) 2.0.
A similar implementation—ARM’s TrustZone scheme—provides TPM capabilities for low-power, ARM processor-based portable devices like tablets.
PTT is especially important in the industrial PC space. It lets organizations establish the same, rigorous levels of security in its compact, fanless systems and devices as it does for desktop PCs, workstations and servers. PTT-enabled IPCs radically shrink the attack surface for systems that often sit unattended in remote or public spaces.
There was a time when IT managers were forced to choose between IPCs with robust security or compact, low-power designs. Intel PTT puts an end to that need to choose.