Building Secure Clouds with TPM 2.0
In light of the Intel: Meltdown and Spectre debacles, many of our partnered cloud service providers have taken-up TPM 2.0 to assist in securing their clouds.
'What is TPM?"
The Trusted Platform Module (TPM) is a cryptographic component of servers that provides additional security features in servers related to tasks such as user authentication, remote access, and data protection. Download the paper to your right.
TPM 2.0 is defined by the Trusted Computing Group (TCG) as the replacement for TPM 1.2. TPM 2.0 enhances the security of a server to prevent hacking and malware damage. TPM 2.0 is a feature available in most Quanta systems.
Major changes in TPM 2.0
The TPM 2.0 specification introduces new features beyond those in the existing TPM 1.2 specification, as summarized below:
No Opt-in/Opt-out: The choice of whether the administrator can enable or disable TPM is typically provided through opt-in or opt-out mechanisms. In addition, the platform manufacturer Quanta can specify whether or not the administrator can disable the TPM 2.0 functions.
Seeds and keys: The keys in TPM 2.0 are derived from seeds stored in the TPM. The Key Derivation Function (KDF) is used to create Endorsement Keys (EKs) and Storage Root Key (SRKs).
TPM 2.0 allows greater flexibility and even “field upgrades” to the algorithms that the TPM supports. Field upgrade means the platform manufacturer (Quanta) can upgrade the TPM firmware according to their specific methods. The algorithms available in TPM 1.2 and TPM 2.0 are listed in Table 1.
TPM 2.0 has the same functionality (EK for signing/attestation and SRK for encryption) as TPM 1.2. However, the control is split into three different hierarchies in 2.0: Platform, Storage, and Endorsement. TPM 2.0 also contains a Null Hierarchy. Each hierarchy has its own unique “owner” for authorization, as shown in Figure 1.