In 2021, the Dolos Group demonstrated something alarming: they read a laptop's full disk encryption key by sniffing traffic between the TPM chip and the CPU. The key was transmitted in plaintext over an unprotected bus. The "tamper-resistant" TPM was secure; the wires connecting it weren't. [1]
Windows 11 requires TPM 2.0. BitLocker relies on TPM for key storage. Modern security assumes TPM works. But what does "works" actually mean? TPM provides real security benefits while having real limitations that marketing rarely mentions.
What TPM Is
A Trusted Platform Module is a dedicated security chip (or firmware equivalent) that provides: [2]
- Secure key storage: Cryptographic keys generated in and never leave the TPM
- Platform Configuration Registers (PCRs): Measurements of boot components
- Remote attestation: Cryptographic proof of system state
- Sealed storage: Data encrypted to a specific system state
- Random number generation: Hardware RNG for cryptographic operations
Types of TPM
- Discrete TPM: Separate chip on the motherboard (most secure, most attackable via bus sniffing)
- Firmware TPM (fTPM): Runs in CPU's trusted execution environment (Intel PTT, AMD fTPM)
- Integrated TPM: Built into another chip like the chipset
- Software TPM: Emulation for testing (no security value)
Firmware TPMs avoid bus sniffing attacks because there's no external bus to sniff - the TPM functionality runs inside the CPU. But they're also more complex and have their own vulnerabilities.
What TPM Protects
BitLocker Key Management
The most common use: BitLocker stores its encryption key in the TPM. On boot, the TPM only releases the key if PCR values match expected measurements - meaning the boot chain hasn't been modified. [3]
This protects against:
- Booting from a malicious USB to bypass encryption
- Modifying the bootloader to steal keys
- Cold boot attacks (partially - more below)
Secure Boot Integration
TPM works with UEFI Secure Boot to measure and verify boot components. Each stage measures the next into PCRs, creating an auditable chain from firmware to OS.
Credential Storage
Windows Hello, FIDO2 keys, and other credentials can be bound to TPM. The authentication material never leaves the chip, even if the OS is compromised.
Remote Attestation
TPM can cryptographically prove a system's configuration to remote parties. Enterprise environments use this to verify devices meet security policies before allowing network access.
What TPM Doesn't Protect
Running System Attacks
Once the OS boots, the TPM has released its secrets. Malware running with sufficient privileges can:
- Read decrypted disk contents (the OS has the key)
- Access memory containing secrets
- Use TPM-backed credentials (by calling the legitimate APIs)
TPM protects the boot chain. It doesn't protect a compromised running system.
Physical Attacks on Discrete TPMs
The Dolos Group attack demonstrated the fundamental weakness: discrete TPMs communicate over the LPC or SPI bus. This traffic isn't encrypted by default. An attacker with physical access can: [1]
- Probe the bus between TPM and CPU
- Capture traffic during boot
- Extract the BitLocker key as it's transmitted
- Decrypt the drive
This requires physical access and hardware tools (logic analyzer, oscilloscope), but it's documented and reproducible.
Cold Boot Attacks
When BitLocker uses TPM-only mode (no PIN), the key loads into RAM at boot. RAM contents persist briefly after power loss. An attacker can: [2]
- Cool the RAM (compressed air, canned air, LN2)
- Power off the system
- Boot to a forensic tool before RAM decays
- Read the BitLocker key from memory
Solution: Use TPM + PIN. Without the PIN, the TPM won't release the key, and there's nothing in RAM to capture.
Evil Maid Attacks
An attacker with repeated physical access can:
- Modify the bootloader or firmware
- Wait for you to enter your PIN/password
- Capture credentials and decrypt later
TPM detects modification (PCR values change), but if you enter your PIN anyway, you've authenticated the modified system.
TPM Vulnerabilities
CVE-2023-1017 and CVE-2023-1018
In 2023, Quarkslab discovered critical vulnerabilities in TPM 2.0 reference code - buffer overflows allowing local attackers to overwrite protected data or execute code in the TPM environment. [4]
Impact: An attacker with access to TPM commands could compromise cryptographic keys, bypass protections, or persist across reboots. These affected multiple vendors' implementations.
TPM-FAIL (2019)
Timing side-channel attacks allowed extracting private keys from Intel fTPM and STMicroelectronics discrete TPMs. By measuring how long cryptographic operations took, researchers recovered ECDSA keys used for digital signatures. [5]
ROCA (2017)
Infineon's TPM firmware used a flawed RSA key generation algorithm. RSA keys generated by affected TPMs could be factored - private keys derived from public keys. This affected millions of devices including government ID cards. [2]
CVE-2018-6622
A design flaw in TPM 2.0's static root of trust allowed attackers to reset and forge PCR values - the measurements designed to detect boot tampering. [2]
Using TPM Effectively
For BitLocker
- Use TPM + PIN: Don't rely on TPM alone. A boot PIN prevents cold boot attacks and provides meaningful security even if the TPM is bypassed.
- Consider fTPM: Firmware TPM avoids bus sniffing attacks (but has its own attack surface)
- Update firmware: TPM vulnerabilities get patched through BIOS updates
For Development/Enterprise
- Remote attestation: Verify device state before trusting it
- Measured boot: Log and audit PCR values
- Key sealing: Bind secrets to known-good configurations
Limitations to Accept
- TPM doesn't protect a running, compromised system
- Physical attacks are possible, especially against discrete TPMs
- TPM vulnerabilities exist and will continue to be discovered
- TPM is one layer, not complete protection
The Future of TPM
The November 2024 NSA guidance on TPM notes future directions: [6]
- Supply chain auditing: Using TPM to verify software hasn't been tampered with
- Runtime integrity: Continuous measurement, not just boot-time
- Quantum resistance: TPM will need to transition to post-quantum cryptography
As of 2025, nearly all PCs and notebooks ship with TPM. Windows 11 made it mandatory. The technology is standard - understanding its actual security properties is not.
The Reality
TPM provides real, meaningful security benefits:
- Keys that never leave hardware are harder to steal
- Boot measurement detects tampering
- Remote attestation enables zero-trust verification
TPM also has real, meaningful limitations:
- It doesn't protect running systems
- Physical attacks exist, especially against discrete chips
- Vulnerabilities surface regularly in implementations
- It's one component, not a complete security solution
Use TPM as part of defense in depth. Enable it. Configure it properly (TPM + PIN for BitLocker). Keep it updated. And don't assume it solves problems it wasn't designed to solve.
Related Articles
- UEFI and Secure Boot - TPM works with Secure Boot for measured boot
- SSD Hardware Encryption Failures - Why software encryption beats hardware
- Hardware Security Keys - Physical authentication devices
- Intel Management Engine - Another hardware security component
- Firmware Update Security - Keeping TPM and firmware current
References
- Dolos Group. "From Stolen Laptop to Inside the Company Network." 2021. dolosgroup.io
- Wikipedia. "Trusted Platform Module." wikipedia.org
- Microsoft. "BitLocker Overview." microsoft.com
- Quarkslab. "Vulnerabilities in the TPM 2.0 reference implementation code." 2023. quarkslab.com
- TPM.fail. "TPM-FAIL: TPM meets Timing and Lattice Attacks." tpm.fail
- NSA. "Trusted Platform Module (TPM) Use Cases." November 2024. defense.gov