What is Trusted Platform Module (TPM)?

In order to increase security in industrial IoT, such as in the area of edge computing, device authentication via the Trusted Platform Module is increasingly being used. TPM is the abbreviation of Trusted Platform Module and describes a chip that improves the security of a computer and supports various Windows technologies such as BiTLocker (hard disk encryption) or Windows Hello (login with fingerprint, face or PIN). The small chip is installed on the mainboard and is intended in particular to prevent manipulation and cyber attacks, e.g. by viruses and Trojans, of the computer. In general, TPMs generate cryptographic keys, store them securely and use them to start the operating system securely.

Operating modes

The Trusted Platform Module has the central task of creating a trustworthy environment and enabling secure data handling. On the one hand, it offers the possibility to secure the identity and integrity of the industrial computer (IPC) in order to check whether the IPC has been manipulated or exchanged unnoticed. On the other hand, data is to be encrypted and decrypted so that only authorized persons can access, process and use this data.
Key custody and identity are handled directly by the TPM itself. Other, more complex requirements, such as compliance with data policies, are covered in synthesis with the operating system.

Chains of trust

When the TPM is activated, it receives measurement values or signatures from the individual components one after the other after the industrial computer is switched on, which are compared with previously stored values. If these values both match, it can be assumed that the component is functioning as expected and its integrity is intact. The next component is then checked, so that in this way trustworthy software instances are gradually brought up to the application level for execution.

TPM 2.0 and Windows 11

The Trusted Platform Module version 2.0 has already been available since 2015. While it was still optional in the previous Windows versions, an integrated TPM 2.0 is mandatory in the latest Windows 11 version. In combination with Secure Boot, TPM 2.0 is supposed to protect even better against (cyber) attacks. In order to comply with security standards and to protect the devices from cyber attacks, all Welotec industrial computers and edge gateways include an integrated TPM 2.0 module.

Authentication of devices with TPM during mass rollouts

A particular challenge in implementing mass rollouts is getting a large number of devices into the field securely. One solution is the Device Provisioning Service (DPS) from Microsoft Azure. This can be used to securely roll out mass devices via TPM 2.0. The exact steps of an auto provisioning, you will find described in detail in our whitepaper.