Basic functions

The Trusted Platform Module (TPM) is designed to increase the security of a software system through hardware. Devices with a TPM are extended with basic security features. Among other things, this enables the encryption of user data and thus prevents unauthorized read access when the device is switched off. Unauthorized manipulation of the software is also prevented.

Beckhoff implements TPMs on devices in two different ways. One method is a firmware TPM solution where the main CPU has microcode that represents the function of the TPM. AMD describes this method as “fTPM”, while Intel speaks of “Intel® PTT” (Platform Trust Technology). The other method is to implement the TPM as a discrete chip, which is an additional, separate component to the main CPU.

In principle, there is also the integrated TPM solution, where the TPM comprises a separate area in the CPI. However, this solution is not implemented by Beckhoff.

As not all Beckhoff devices are supported, you can find the suitable devices in the product finder: https://www.beckhoff.com/en-en/products/ipc/product-finder-ipc/

The TPM performs two basic functions, one of which is encryption. For this, keys are generated in the TPM, securely stored with the aid of the TPM, and only applied there. Most keys are stored outside the TPM, since only a few keys can be stored inside the TPM. These keys are encrypted with the master key in the TPM and stored externally. This facilitates a variety of securely stored keys.

In addition, the system integrity is measured. This includes checking that the system is started with the correct software. Several measurements are performed, resulting in a set of checksums. The TPM only releases the keys for use when the checksums have been verified and the measurement was successful. The relevant checksums can be determined individually for each key. In addition to these two basic functions, the TPM has other functions, which are explained elsewhere.

Basic functions 1:Fig.1: Basic TPM functions