The table of encryption algorithms below provides a summary; for a more comprehensive list of TPM algorithms, reference the TCG Algorithm Registry. The list of mandatory algorithms for TPM 2.0 in a personal computer is defined in the latest PC Client Platform TPM Profile.
Algorithm Type |
Algorithm Name |
TPM 1.2 |
TPM 2.0 |
---|---|---|---|
Asymmetric |
RSA 1024 |
Yes |
Optional |
|
RSA 2048 |
Yes |
Yes |
|
ECC P256 |
No |
Yes |
|
ECC BN256 |
No |
Yes |
Symmetric |
AES 128 |
Optional |
Yes |
|
AES 256 |
Optional |
Optional |
Hash |
SHA-1 |
Yes |
Yes |
|
SHA-2 256 |
No |
Yes |
HMAC |
SHA-1 |
Yes |
Yes |
|
SHA-2 256 |
No |
Yes |
Table 1: TPM 1.2 vs. 2.0
TPM 1.2 supports a single "owner" authorization, with an RSA 2048b Endorsement Key (EK) for signing/attestation and a single RSA 2048b Storage Root Key (SRK) for encryption. This means a single user or entity ("owner") has control over both the signing/attestation and encryption functions of the TPM. In general, the SRK serves as the parent for any keys created in TPM 1.2. TPM 1.2 was specified as an opt-in device (see the Trusted Computing Group article The Case for Turning on Trusted Platform Modules for more information regarding the meaning of "opt-in" as it applies to TPM).
TPM 2.0 has the same functionality that is represented by the EK for signing/attestation and SRK for encryption as in 1.2, but the control is split into two different hierarchies in 2.0, the Endorsement Hierarchy (EH) and the Storage Hierarchy (SH). In addition to the EH and SH, TPM 2.0 also contains a Platform Hierarchy (PH) for maintenance functions, and a Null Hierarchy. Each hierarchy has its own unique "owner" for authorization. Because of this, TPM 2.0 supports four authorizations which would be analogous to the single TPM 1.2 "owner."
In TPM 2.0, the new Platform Hierarchy is intended to be used by platform manufacturers. The Storage and Endorsement hierarchies, and the Null hierarchy is used by operating system's and OS-present applications. TPM 2.0 has been specified in a way that makes discovery and management less cumbersome than 1.2. TPM 2.0 can to support RSA and ECC algorithms for Endorsement Keys and SRKs.
Feature or Application |
TPM 1.2 |
TPM 2.0 |
---|---|---|
DDP|ST - OTP client |
Yes |
No* |
DDP|Encryption |
Yes |
Yes |
Intel® Trusted Execution Technology |
Yes |
Yes |
Microsoft Bitlocker™ |
Yes |
Yes |
Microsoft Virtual Smart Card |
Yes |
Yes |
Microsoft Credential Guard™ |
Yes |
Yes |
Microsoft Passport™ |
Yes |
Yes |
TCG Measured Boot |
Yes |
Yes |
UEFI Secure Boot |
Yes |
Yes |
Microsoft Device Guard |
Yes |
Yes |
Table 2: TPM 1.2 vs. 2.0 - Supported Applications and Features
Also, see Dell Dell Knowledge Base article Dell Computers That Can Upgrade from TPM Version 1.2 to 2.0.
A firmware-based TPM (fTPM) is a TPM that operates using the resources and context of a multifunction/feature compute device (such as a SoC, CPU, or other similar compute environment).
A discrete TPM is implemented as an isolated, separate function or feature chip, with all necessary computing resources that are contained within the discrete physical chip package. A discrete TPM has full control of dedicated internal resources (such as volatile memory, nonvolatile memory, and cryptographic logic), and it is the only function accessing and using those resources.
A firmware-based TPM does not have its own dedicated storage. It relies on operating system and platform services to provide it access to storage within the platform. One of the implications of not having dedicated storage involves the presence of an Endorsement Key (EK) certificate. Discrete TPM devices can be delivered by the TPM manufacturer to the platform manufacturer with an EK certificate installed in the TPM storage for the TPM Endorsement Key. This is not possible with a firmware TPM. Firmware TPM vendors make certificates available to end-users through manufacturer-specific processes. To acquire the EK certificate for a computer, platform owners must contact the chipset/CPU vendor for that platform.
Also, a TCG Certified discrete TPM is required to meet compliance and security requirements including hardening of the chip and its internal resources similar to smart cards. TCG compliance verifies that the TPM correctly implements the TCG specifications. The hardening that is required by TCG certification allows a Certified discrete TPM to protect itself against more complicated physical attacks.
Also, see Dell Knowledge Base articles:
Operating System |
TPM 1.2 |
TPM 2.0 |
---|---|---|
Windows 7 |
Yes |
No (1) |
Windows 8 |
Yes |
Yes (2) |
Windows 8.1 |
Yes |
Yes (2) |
Windows 10 |
Yes |
Yes |
RHEL |
Yes |
Yes (3)(4) |
Ubuntu |
Yes |
Yes (3)(5) |
Table 3: Operating System Vendor Support
Operating System |
TPM 1.2 |
TPM 2.0 |
---|---|---|
Windows 7 |
Yes |
No |
Windows 8 |
Yes |
No (5) |
Windows 8.1 |
Yes |
No (5) |
Windows 10 |
Yes |
Yes (6) |
RHEL |
No (7) |
Yes (8) |
Ubuntu 14.04 |
No (7) |
No |
Ubuntu 16.04 |
No (7) |
Yes (9) |
Table 4: Dell Commercial Platform operating system Support