Basic functions
The Trusted Platform Module (TPM) is designed to increase the security of a software system through hardware. Devices with a TPM are extended with basic security features. Among other features, this enables encryption of the user data and thus prevents unauthorized read access while the device is switched off. Unauthorized manipulation of the software is also prevented.
There are three options for implementing a TPM:
- TPM as a discrete chip, which is an additional component that is separate from the main CPU.
- Integrated TPM solution, where the TPM comprises a separate area in the CPU.
- Firmware TPM solution (fTPM), where the main CPU features a complementary microcode to represent the function of the TPM.
Beckhoff currently uses two implementation options in its devices: TPM as a discrete chip, and the firmware solution with fTPMs. Since not all devices are supported, you can find information about the suitability of devices in the corresponding product documentation and the product finder: https://www.beckhoff.com/en-en/products/ipc/product-finder-ipc
The TPM performs two basic functions, one of which is encryption. For this purpose, keys are generated in the TPM, securely stored with the aid of the TPM and only applied there. Most keys are stored outside the TPM, since only a few keys can be stored inside the TPM. These keys are encrypted with the master key in the TPM and stored externally. This facilitates a variety of securely stored keys.
In addition, the system integrity is measured. This includes checking that the system is started with the correct software. Several measurements are performed, resulting in a set of checksums. The TPM only releases the keys for use when the checksums have been verified and the measurement was successful. For each key the relevant checksums can be determined individually. In addition to these two basic functions, the TPM has other functions, which are explained elsewhere.