In 2021, the Dolos Group demonstrated something alarming: they read a laptop's full disk encryption key by sniffing traffic between the TPM chip and the CPU. The key was transmitted in plaintext over an unprotected bus. The "tamper-resistant" TPM was secure; the wires connecting it weren't. [1]

Windows 11 requires TPM 2.0. BitLocker relies on TPM for key storage. Modern security assumes TPM works. But what does "works" actually mean? TPM provides real security benefits while having real limitations that marketing rarely mentions.

What TPM Is

A Trusted Platform Module is a dedicated security chip (or firmware equivalent) that provides: [2]

  • Secure key storage: Cryptographic keys generated in and never leave the TPM
  • Platform Configuration Registers (PCRs): Measurements of boot components
  • Remote attestation: Cryptographic proof of system state
  • Sealed storage: Data encrypted to a specific system state
  • Random number generation: Hardware RNG for cryptographic operations

Types of TPM

  • Discrete TPM: Separate chip on the motherboard (most secure, most attackable via bus sniffing)
  • Firmware TPM (fTPM): Runs in CPU's trusted execution environment (Intel PTT, AMD fTPM)
  • Integrated TPM: Built into another chip like the chipset
  • Software TPM: Emulation for testing (no security value)

Firmware TPMs avoid bus sniffing attacks because there's no external bus to sniff - the TPM functionality runs inside the CPU. But they're also more complex and have their own vulnerabilities.

What TPM Protects

BitLocker Key Management

The most common use: BitLocker stores its encryption key in the TPM. On boot, the TPM only releases the key if PCR values match expected measurements - meaning the boot chain hasn't been modified. [3]

This protects against:

  • Booting from a malicious USB to bypass encryption
  • Modifying the bootloader to steal keys
  • Cold boot attacks (partially - more below)

Secure Boot Integration

TPM works with UEFI Secure Boot to measure and verify boot components. Each stage measures the next into PCRs, creating an auditable chain from firmware to OS.

Credential Storage

Windows Hello, FIDO2 keys, and other credentials can be bound to TPM. The authentication material never leaves the chip, even if the OS is compromised.

Remote Attestation

TPM can cryptographically prove a system's configuration to remote parties. Enterprise environments use this to verify devices meet security policies before allowing network access.

What TPM Doesn't Protect

Running System Attacks

Once the OS boots, the TPM has released its secrets. Malware running with sufficient privileges can:

  • Read decrypted disk contents (the OS has the key)
  • Access memory containing secrets
  • Use TPM-backed credentials (by calling the legitimate APIs)

TPM protects the boot chain. It doesn't protect a compromised running system.

Physical Attacks on Discrete TPMs

The Dolos Group attack demonstrated the fundamental weakness: discrete TPMs communicate over the LPC or SPI bus. This traffic isn't encrypted by default. An attacker with physical access can: [1]

  1. Probe the bus between TPM and CPU
  2. Capture traffic during boot
  3. Extract the BitLocker key as it's transmitted
  4. Decrypt the drive

This requires physical access and hardware tools (logic analyzer, oscilloscope), but it's documented and reproducible.

Cold Boot Attacks

When BitLocker uses TPM-only mode (no PIN), the key loads into RAM at boot. RAM contents persist briefly after power loss. An attacker can: [2]

  1. Cool the RAM (compressed air, canned air, LN2)
  2. Power off the system
  3. Boot to a forensic tool before RAM decays
  4. Read the BitLocker key from memory

Solution: Use TPM + PIN. Without the PIN, the TPM won't release the key, and there's nothing in RAM to capture.

Evil Maid Attacks

An attacker with repeated physical access can:

  1. Modify the bootloader or firmware
  2. Wait for you to enter your PIN/password
  3. Capture credentials and decrypt later

TPM detects modification (PCR values change), but if you enter your PIN anyway, you've authenticated the modified system.

TPM Vulnerabilities

CVE-2023-1017 and CVE-2023-1018

In 2023, Quarkslab discovered critical vulnerabilities in TPM 2.0 reference code - buffer overflows allowing local attackers to overwrite protected data or execute code in the TPM environment. [4]

Impact: An attacker with access to TPM commands could compromise cryptographic keys, bypass protections, or persist across reboots. These affected multiple vendors' implementations.

TPM-FAIL (2019)

Timing side-channel attacks allowed extracting private keys from Intel fTPM and STMicroelectronics discrete TPMs. By measuring how long cryptographic operations took, researchers recovered ECDSA keys used for digital signatures. [5]

ROCA (2017)

Infineon's TPM firmware used a flawed RSA key generation algorithm. RSA keys generated by affected TPMs could be factored - private keys derived from public keys. This affected millions of devices including government ID cards. [2]

CVE-2018-6622

A design flaw in TPM 2.0's static root of trust allowed attackers to reset and forge PCR values - the measurements designed to detect boot tampering. [2]

Using TPM Effectively

For BitLocker

  • Use TPM + PIN: Don't rely on TPM alone. A boot PIN prevents cold boot attacks and provides meaningful security even if the TPM is bypassed.
  • Consider fTPM: Firmware TPM avoids bus sniffing attacks (but has its own attack surface)
  • Update firmware: TPM vulnerabilities get patched through BIOS updates

For Development/Enterprise

  • Remote attestation: Verify device state before trusting it
  • Measured boot: Log and audit PCR values
  • Key sealing: Bind secrets to known-good configurations

Limitations to Accept

  • TPM doesn't protect a running, compromised system
  • Physical attacks are possible, especially against discrete TPMs
  • TPM vulnerabilities exist and will continue to be discovered
  • TPM is one layer, not complete protection

The Future of TPM

The November 2024 NSA guidance on TPM notes future directions: [6]

  • Supply chain auditing: Using TPM to verify software hasn't been tampered with
  • Runtime integrity: Continuous measurement, not just boot-time
  • Quantum resistance: TPM will need to transition to post-quantum cryptography

As of 2025, nearly all PCs and notebooks ship with TPM. Windows 11 made it mandatory. The technology is standard - understanding its actual security properties is not.

The Reality

TPM provides real, meaningful security benefits:

  • Keys that never leave hardware are harder to steal
  • Boot measurement detects tampering
  • Remote attestation enables zero-trust verification

TPM also has real, meaningful limitations:

  • It doesn't protect running systems
  • Physical attacks exist, especially against discrete chips
  • Vulnerabilities surface regularly in implementations
  • It's one component, not a complete security solution

Use TPM as part of defense in depth. Enable it. Configure it properly (TPM + PIN for BitLocker). Keep it updated. And don't assume it solves problems it wasn't designed to solve.

Related Articles

References

  1. Dolos Group. "From Stolen Laptop to Inside the Company Network." 2021. dolosgroup.io
  2. Wikipedia. "Trusted Platform Module." wikipedia.org
  3. Microsoft. "BitLocker Overview." microsoft.com
  4. Quarkslab. "Vulnerabilities in the TPM 2.0 reference implementation code." 2023. quarkslab.com
  5. TPM.fail. "TPM-FAIL: TPM meets Timing and Lattice Attacks." tpm.fail
  6. NSA. "Trusted Platform Module (TPM) Use Cases." November 2024. defense.gov