Trusted Platform Module – My understanding
Recently in my line of work, I was required to use a TPM to generate a pair of keys, which to be honest I don’t really understand how it works. So I went on the net and scoured what relevant things that can make sense. I don’t where I get this link but it explains what the TPM is and does.
I still don’t understand everything but I’ll try to summarise from the video and other posts I have read. TPM stands for Trusted Platform Module, where a protocol/standard(??) specifies a hardware (mostly, though I read there is also software) that validates/verifies processes, by using cryptographic keys. Most likely TPM is invoked during startup because that is the moment where malicious software or firmware might try to load (I think).
Analogically, it is like having a guard (TPM) in a guardhouse that allows people(firmware/software) to enter. The guard has a list which he compares when someone tells him their name. But this guard only confirms whether the person is on the list or not and can’t prevent them from trespassing. He does take not and mentions if any of the software or driver are different than the allowed value. End of analogy.
In the video above, one philosophical question was asked, whether we can trust the TPM manufacturer, because they are in essence creating a component that is needed to validate whether we can trust a PC or not, hence the component itself and its manufacturer needs to be trusted too. The speaker did say if we apply the same question to other components, we also face the same problem as Intel or Nvidia can also inject malicious code into their product.
They wouldn’t, not only because they want people to trust them, but also because it is against their existence to compromise. Their survival dictates any notion of malpractice will have dire consequence. It will be very bad for them, even if there is a rumour of something along the line, happening. That is my opinion. It is a trusted platform module, where the trust equals commercial value.
I am sure there is a better post or even a paper describing this in a more eloquent manner but this is what I observer from my brief understanding of TPM. Let’s see in the future if I can find similar cases where my views can be applied. As for now, I trust (and am trying to understand what I am trusting, ha!) what I am working on right now.
Thank you for reading.