What is a Root-of-Trust (RoT)?

How can I protect my devices?
There has been a fundamental change in how data and systems are stored and accessed, and this has provided attackers with new methods for exploitation. We are all living in an interconnected and online world, in which the ability to manipulate ‘identity’ has never been easier. Being able to verify that something is what it says it is has never been so vital. In the offline world, there are core documents you can provide that attest your identity, like passports, driving licences and birth certificates. Online you may have portable identities requiring passwords and Captcha checks, but when considering software or hardware, how can you ensure your connected device only communicates with trustworthy elements?

Modern attacks no longer focus on breaking encryption algorithms, but instead system integrity, manipulating the properties of a device to retrieve keys and other critical information. To overcome this new threat landscape, the Trusted Computing Group (TCG) is defining the necessary components that establish greater trust and security in all computing systems and providing assurance that systems act appropriately for their applications. This has been achieved through the conception of the Root-of-Trust (RoT).

What is a RoT?
A RoT is an essential, foundational security component that provides a set of trustworthy functions that the rest of the device or system can use to establish strong levels of security. Often integrated as a chip, using a RoT gives devices a trusted source that can be relied upon within any cryptographic system.

These functions include trusted boot, measurement, secure storage, reporting and verification, with the RoT able to store confidential cryptographic keys away from system software, which is often targeted by hackers.

When would I need to use a RoT?
During the development of any connected device, including computers, laptops, tablets, smartphones, sensors and more. This is not to say devices currently operating without a RoT can’t utilize one – these solutions can be integrated at any point to ensure a strong line of defense against attackers.

What sort of devices does a RoT protect?
In all sorts of devices such as computers, laptops, connected devices and more. As new ways to attack vulnerabilities have come to light, the concept of a RoT has evolved to support new areas of computing. Depending on the device and the environment it is used in, there are now a number of different types of RoT available to manufacturers and operators. All are capable of implementing the most fundamental of security building blocks within a device or network.

How does a RoT work?
Sitting independently from the system software, a RoT starts a chain of trust by ensuring a computer or device only begins the boot process when it has confirmed there is no malicious code present. By executing a ‘trusted boot’ process, a RoT ensures any software running on the device is trustworthy and that it hasn’t been weaponized by an attacker, keeping the device safe.

The secure storage and cryptographic functions offered through a RoT also handles private keys and trusted processes to accurately authenticate the device through the verification of claims and the encryption/decryption of information.

Where are RoTs being used today?
Selecting the right RoT solution for your device is essential when developing and bringing a new device to market.

The Trusted Platform Module (TPM), from which many of the latest RoTs have derived, is the obvious choice for larger devices such as computers and laptops. A standardized security product designed for commercial or consumer devices, the TPM offers a superior approach to software-only approaches, with integrated measures that provide the basis for system integrity checks. By securely collecting information about the boot process during system start-up, the TPM can analyze whether a system is in the expected state and provide strong authentication to enable a device to accurately identify itself to a network.

In order to support the latest developments in computing, including virtual machines (VMs) and their generated environments, a software-based representation of a TPM known as the vTPM has been developed. This carries out the key security functions such as attestation and key/random number generation without a physical chip being required.

Where can I find more information on the RoTs available?

Interested in solutions for larger devices? See TPM.
Interested in solutions that secure smaller devices? See MARS or DICE.
Interested in solutions for virtual environments? See vTPM.


Membership in the Trusted Computing Group is your key to participating with fellow industry stakeholders in the quest to develop and promote trusted computing technologies.

Join Now

Trusted Computing

Standards-based Trusted Computing technologies developed by TCG members now are deployed in enterprise systems, storage systems, networks, embedded systems, and mobile devices and can help secure cloud computing and virtualized systems.

Read more


Trusted Computing Group announced that its TPM 2.0 (Trusted Platform Module) Library Specification was approved as a formal international standard under ISO/IEC (the International Organization for Standardization and the International Electrotechnical Commission). TCG has 90+ specifications and guidance documents to help build a trusted computing environment.

Read More