Solved Why do new motherboards have TPM headers?

alkaufmann · Jul 8, 2021

Thanks for that information, but I have still not heard any explanation why there is a TPM header on the motherboard if a TPM module is not required.

Ak

PerpetualCycle · Jul 8, 2021

You have got me.

ShamrockRig · Jul 8, 2021

alkaufmann said:
Thanks for that information, but I have still not heard any explanation why there is a TPM header on the motherboard if a TPM module is not required.

Ak

As far as I understand, Firmware TPM means the system will use the TPM chip that's integrated with the CPU. Discrete TPM will use the TPM chip that's connected externally( Module), I dont know why, Why do you get external GPU's and Internal GPU'S, Space? Im not sure but id rather not having to have an ugly tpm module taking up space in my case when i could have a tpm header nice and neat

PerpetualCycle · Jul 9, 2021

Devlin1888 said:
As far as I understand, Firmware TPM means the system will use the TPM chip that's integrated with the CPU. Discrete TPM will use the TPM chip that's connected externally( Module), I dont know why, Why do you get external GPU's and Internal GPU'S, Space? Im not sure but id rather not having to have an ugly tpm module taking up space in my case when i could have a tpm header nice and neat

Not a good comparison I think. You have external GPUs because the performance can be enormously better than internal. TPM is TPM. - it is functional. Firmware TPM Also is integrated with CPU but associated chipset - fine distinctionn.

ShamrockRig · Jul 9, 2021

geneo said:
Not a good comparison I think. You have external GPUs because the performance can be enormously better than internal. TPM is TPM. - it is functional. Firmware TPM Also is integrated with CPU but associated chipset - fine distinctionn.

You get the jist though, I wasn't asking for reasoning on it, it was an example, The reason was irrelevant.

Stigg · Jul 9, 2021

Devlin1888 said:
If you have the header you dont need the module, My mobo has a tpm header at 1.2 which allows the use of firmware tpm to be upgraded to TPM 2.0. Thus i am running TMP 2.0 with a TMP 1.2 header. No module needed

Are you saying that the TPM header has some functionality without even needing the module?

PerpetualCycle · Jul 9, 2021

Devlin1888 said:
You get the jist though, I wasn't asking for reasoning on it, it was an example, The reason was irrelevant.

Already established. :wink:

johnlgalt · Jul 9, 2021

Devlin1888 said:
As far as I understand, Firmware TPM means the system will use the TPM chip that's integrated with the CPU. Discrete TPM will use the TPM chip that's connected externally( Module), I dont know why, Why do you get external GPU's and Internal GPU'S, Space? Im not sure but id rather not having to have an ugly tpm module taking up space in my case when i could have a tpm header nice and neat

No.

CPU supports the *use* of firmware TPM.

Firmware TPM is actually offered by the chipset, and made available via UEFI fw to access the offering by the chipset.

That's why all the webpages of the OEMs saying which motherboards support Win11 TPM requiremetns are all listing the chipset, not the CPU.

johnlgalt · Jul 9, 2021

alkaufmann said:
Thanks for that information, but I have still not heard any explanation why there is a TPM header on the motherboard if a TPM module is not required.

Ak

Same reason some motherboards have 2 PCIe slots while others have 4. Or some motherboards have the ability to expand to 32 GB of RAM, others 64, others 128.

If your board has a TPM header for a physical TPM module, it's one step above a firmware TPM, because it is independent of the UEFI fw (which is how fTPM / PTT is enabled, and thus is dependent upon).

https://trustedcomputinggroup.org/wp-content/uploads/2019_TCG_TPM2_BriefOverview_DR02web.pdf

Now, I have both native UEFI-fw -based fTPM as well as a TOM hardware module header. I can use either. fTPM is by far easier, as I don't have to buy anything at all.

However, if I actually made use of the fTPM, say to store BitLocker or other security information, then I (might) have to take extra steps whenever I need to upgrade my UEFI fw, as it might wipe the stuff stored in fTPM clean (I already know for a fact that currently, my own UEFI fw resets all UEFI settings on a fw update). And that would suck - badly - if I had a BitLocker encrypted drive and all of a sudden it was inaccessible because I upgrade my UEFI fw (or, heaven forbid - if Windows updated it for me without notifying me). In this case, a hardware TPM module will be better, because it will not be reset even when you update the UEFI fw, because it is completely independent of the UEFI.

Right now that doesn't seem like a big deal for most folks, as they don't use BitLocker. But what if the same thing happens in the future with Windows 11 itself? What if it is directly dependent upon the information stored in fTPM - which then gets wiped if you update your UEFI fw?

As time marches on, we'll know more as to what Win11 exactly needs, and what we, as users, need to be prepared for. Right now it's moot, as we don't know what Win11 will actually require when it is finally released.

Dru2 · Jul 9, 2021

johnlgalt said:
However, if I actually made use of the fTPM, say to store BitLocker or other security information, then I (might) have to take extra steps whenever I need to upgrade my UEFI fw, as it might wipe the stuff stored in fTPM clean (I already know for a fact that currently, my own UEFI fw resets all UEFI settings on a fw update). And that would suck - badly - if I had a BitLocker encrypted drive and all of a sudden it was inaccessible because I upgrade my UEFI fw (or, heaven forbid - if Windows updated it for me without notifying me). In this case, a hardware TPM module will be better, because it will not be reset even when you update the UEFI fw, because it is completely independent of the UEFI.

Right now that doesn't seem like a big deal for most folks, as they don't use BitLocker. But what if the same thing happens in the future with Windows 11 itself? What if it is directly dependent upon the information stored in fTPM - which then gets wiped if you update your UEFI fw?

As time marches on, we'll know more as to what Win11 exactly needs, and what we, as users, need to be prepared for. Right now it's moot, as we don't know what Win11 will actually require when it is finally released.

Regarding BIOS updates, BitLocker, and firmware TPM.... as one who uses TPM and updates his BIOS all the time, I can definitively say updating the BIOS does NOT wipe the BitLocker information. If that were the case all one would need to do is update a BIOS to bypass BitLocker.

Looking at an OS BitLocker drive - when you update the BIOS and first boot into the system you will be asked to provide your BitLocker key. Once the key is provided you will be allowed to access the drive and no further BitLocker verifications are subsequently required. If you don't have the key for whatever reason, you won't be able to get into the drive, even if you "revert back" to the original BIOS before the update!

Do keep in mind this is also a security measure because as stated if one wanted to bypass BitLocker all they have to do is update the BIOS. So yes, there is an added danger when updating a BIOS on systems with BitLocker drives. Short fix: Don't lose your key! Been there, done that.

Also, and something to be aware regarding BitLockered drives is you can't just swap them into another machine to bypass the drive encryption because your will still be asked to provide a BitLocker key. Yet another security measure to prevent unauthorized access to an encrypted drive.

fwTPM/TPM and modern day motherboards.... pretty much all motherboards today (and within say the last 10 years) include FW TPM in the BIOS so there's really no need to "buy" a TPM module unless you want added security provided by "discrete" TPM modules, and thus why boards still provide a TPM header.

That said, many already have firmware TPM but don't know it. There are ways to check though; however, if firmware TPM is disabled in the BIOS (and it usually is by default) the typical ways of checking may not work and you would thus have to check the BIOS and enable it. This is where knowing your BIOS comes into play. That said, Brink has a tutorial for an app to check if you have fw_TPM even if it is disabled in the BIOS - Install or Uninstall TPM Diagnostics Tool in Windows 11

Just FYI for all interested.

bobkn · Jul 9, 2021

Dru2 said:
Regarding BIOS updates, BitLocker, and firmware TPM.... as one who uses TPM and updates his BIOS all the time, I can definitively say updating the BIOS does NOT wipe the BitLocker information. If that were the case all one would need to do is update a BIOS to bypass BitLocker.

(snip)

I don't use Bitlocker.

But, I believe that if the Bitlocker information was wiped from the motherboard, the encrypted information would be inaccessible. (The protection against that would be an externally archived key.)

AlanWade · Jul 9, 2021

I have a Prime Z490-P now although I can, and did enable TPM in the BIOS have a M/B header. In the manual its called a TPM - SPI which I ordered, the pin layout on module is totally different to the header but I just enabled it in the BIOS so not needed. Thankfully it didnt cost very much.

SIW2 · Jul 9, 2021

I think the separate module reduces the overhead on the cpu.

PerpetualCycle · Jul 9, 2021

johnlgalt said:
No.

CPU supports the *use* of firmware TPM.

Firmware TPM is actually offered by the chipset, and made available via UEFI fw to access the offering by the chipset.

That's why all the webpages of the OEMs saying which motherboards support Win11 TPM requiremetns are all listing the chipset, not the CPU.

Not quite. The CPU doesn't support the use of it any more than any other device. It is just another device. In the case of Intel PTT it is a device that is part of the Intel Management Engine in the Chipset firmware that the OS discovers like other devices.

From Intel MEInfo tool:

Dru2 · Jul 9, 2021

bobkn said:
I don't use Bitlocker.

But, I believe that if the Bitlocker information was wiped from the motherboard, the encrypted information would be inaccessible. (The protection against that would be an externally archived key.)

I actually use (am using) BitLocker and can tell you from personal experience that updating the BIOS does not wipe the BitLocker information. I would also add that moving a BitLocker drive to another PC and providing the correct key will also unlock it so this suggests there is some code placed on the drive as well.

BTW, if using a Microsoft Account, when encrypting a drive via BitLocker, you are offered the opportunity to store the key in your account (which is what I do). Of course you can store the key elsewhere as long as it's not on the encrypted drive itself.

I keep a backup of my keys in several places since I actually lost a key resulting in me having to reformat the drive thus losing all my data

alkaufmann · Jul 9, 2021

bobkn said:
I'd bet that any motherboard new enough to use any CPU that is on the current support list will include a firmware TPM.

I hope you are right because I was just e-mailed by Newegg that they made a mistake and the TPM SPI module I ordered is out of stock; they are refunding my money. I can order it from one of their 3rd party sellers for more money, I think I will pass.

Ak

Dru2 · Jul 9, 2021

SIW2 said:
I think the separate module reduces the overhead on the cpu.

That's basically it - Intel Platform Trust Technology (PTT): TPM For The Masses

BTW PTT (firmware TPM) was first implemented in 2013 so boards beyond that date should have firmware TPM which would satisfy the Windows 11 TPM requirement. If one needed higher security that's where discrete TPM chips come into play.

I did purchase a discrete TPM chip for one of my boards back in 2014, but it was discovered that some Infineon chips had a security flaw. That said, I did notice it taxed my system once it was installed. The chip has since been patched but I no longer have it installed.

bobkn · Jul 9, 2021

Dru2 said:
I actually use (am using) BitLocker and can tell you from personal experience that updating the BIOS does not wipe the BitLocker information. (snip)

I didn't mean to imply that it did.

It occurs to me that my laptop has had an online BIOS update. Its Win10 Pin is stored in the fTPM, and it was not erased. (Not to suggest that it's the same as a Bitlocker key.)

Dru2 · Jul 9, 2021

alkaufmann said:
I hope you are right because I was just e-mailed by Newegg that they made a mistake and the TPM SPI module I ordered is out of stock; they are refunding my money. I can order it from one of their 3rd party sellers for more money, I think I will pass.

Ak

It's been stated numerous times here and over at tenforums that if you have a new board you don't need buy a TPM chip.

The greatest thing that's happened for scalpers is Windows 11 and TPM. Many users with new PC's are buying a product they simply don't need and this has driven prices up....

And my lead to other issues. As stated dedicated (discrete) TPM modules will tax a system's resources.

Dru2 · Jul 9, 2021

bobkn said:
I didn't mean to imply that it did.

It occurs to me that my laptop has had an online BIOS update. Its Win10 Pin is stored in the fTPM, and it was not erased. (Not to suggest that it's the same as a Bitlocker key.)

I didn't take it that way, I was merely replying to your post :)

Anyway, I can't speak to other forms of drive encryption schemes as I've only dealt with "Microsoft's Windows" built-in BitLocker app. That said, I'd be surprised if any drive encryption scheme got interrupted by a simple BIOS update. That wouldn't speak highly of security