In our last blog, we looked at the work done by our members to develop and popularize the Trusted Platform Module (TPM) since its inception. Now, we look to the current computing landscape, and how the standard has evolved to meet today’s threats.

An evolving threat landscape
In 2024, the global average cost of a data breach was $4.88 million, as attackers continue to try access and weaponize the devices we rely on. If they are successful in these endeavours, they can cause potentially devastating financial and reputational damage through ransomware and other increasingly complex methods.

As we previously mentioned in our 2025 trends, the increased deregulation witnessed in various industries as a result of significant political shifts across the world, combined with the rise of Artificial Intelligence (AI) the threat of quantum computing, and other concerns are all presenting new threats to how society operates. It’s essential that, in the midst of these changes, manufacturers and users alike can verify the trustworthiness of their devices and applications.

A proactive approach to security
Already ensuring the concept of trusted computing for twenty-five years now, the TPM is a secure crypto-processor which is attached to a device for secure operations. Using a TPM helps to protect a user’s identity and sensitive data by storing the keys crucial to encryption, decryption and authentication. Doing so provides a strong first line of defence against potentially critical malware and firmware attacks, as all data will remain encrypted.

Currently sitting within over two billion devices worldwide, the TPM maintains optimal device security, including for devices where the element of security may be afterthought – such as printers and washing machines. By implementing a TPM chip, devices gain robust, hardware-based protection rather than being solely reliant on software security programs. This means manufacturers can quickly and easily encrypt disks and prevent a range of firmware, ransomware and dictionary attacks.

How does a TPM work today?
The TPM standard defines a hardware Root-of-Trust (RoT) that is deployed alongside software measures to enable key security features, including integrity measurements, health checks and authentication services.

During the boot process, the TPM will review a device’s health and environment, executing operations only if the device is found to be in a trustworthy state. A dedicated processor, the TPM contains an Endorsement Key (EK), which is resistant to software-based access, and an Attestation Identity Key (AIK) to secure the device against unauthorised tampering. It achieves this by measuring sections of firmware and software before they are executed.

The same measurements are validated by the server when your system tries to connect to a network. The boot process will not occur if there’s a mismatch, meaning there will be no way to access and exploit any data stored in the device. TPMs essentially offer enhanced security measures by signing and verifying data provided to your device to establish its identity. It also provides hardened storage for software and platform keys to protect algorithms being used. In the event an attack is successful, unauthorised entities still won’t be able to access the information stored within the TPM, giving users assurance that they do not need their systems constantly evaluated by security professionals.

TPM 2.0
The evolving nature of IoT and the increased demand for security beyond the traditional PC environment led us to evolve the TPM into a new TPM specification – one that was adopted as an international standard, ISO/IEC 11889:2015.

To offer greater flexibility of application and to enable more widespread usage of TPMs, we took a ‘library’ approach to TPM 2.0. Now, users can choose the most applicable aspects of TPM functionality for the level of implementation and security required. New features and functions were also included, such as ‘algorithm agility’, which provides the ability to implement new cryptographic algorithms as needed. This flexibility means TPMs can support a range of embedded applications, including those found in automotive, industrial, smart homes and beyond.

The ‘algorithm interchangeability’ feature also means algorithms can be exchanged for enhanced cryptographic agility. TPM 2.0 surpasses previous versions at it also improves basic verification signatures and the ability to handle keys for both limited and conditional use. As a result, manufacturers benefit from greater functionality, enhanced device performance and quicker operations, with the chip capable of being used in devices and applications where resources (and security budgets) are limited.

What is the right TPM for my requirements?
There are several types of TPMs especially popular today, all offering different trade-offs between cost, features and security. For example, a Discrete TPM provides the highest level of security, as might be needed to secure a brake controller in a car. This TPM ensures that the device it is protecting will not be hacked even via sophisticated measures. To accomplish this, a discrete chip is designed, built and evaluated for the highest level of security to resist potential tampering.

Next is an Integrated TPM. It still has a hardware TPM, but is instead integrated into a chip that provides functions other than security. The hardware implementation makes it resistant to software bugs, yet the level is not designed specifically to be tamper resistant.

Firmware TPMs are implemented in protected firmware; as the code runs on the main central processing unit (CPU), a separate chip is not used. The code is hosted within a protected environment that is separated from the rest of the programs found in the CPU. This is known as a ‘trusted execution environment’ (TEE), and this method of separation means secrets like private keys that might be required by the TPM but not be accessed by others are kept protected. This also ensures a difficult path for hackers to access these keys in the event of a successful attack.

Businesses can also choose to use a Software TPM, which is actually implemented as an emulator of a TPM. While offering fewer security capabilities, this option is very good for building and/or testing a system prototype with a TPM in it. For cloud environments, a virtual TPM (vTPM) is used to form part of the environment and provide the same commands that a physical TPM would – the main difference being that these commands are dictated separately to each virtual machine.

Overcoming future threats
Remaining an essential tool in supporting cybersecurity, the TPM 2.0’s presence is mandated by many major organizations for operating systems such as Windows 11. Key features such as Windows Hello for identity protection, or BitLocker for data protection, are delivered through the use of a TPM, making the standard an indispensable element of device security.

The TPM Work Group continue to evaluate current and future market requirements to evolve the standard further. This includes quantum computing, since the age in which quantum computers will be able to crack all kinds of security, including the ones considered ‘hard’ by cryptographers, grows ever nearer. 54% of cryptographic experts now expect RSA-2048-scale quantum computers will be developed before 2040, and institutions such as the National Institute of Standards and Technology (NIST) have standardized new algorithms to try get ahead of this pressing deadline. This is just one example of an area TCG are looking at when it comes to securing devices today and beyond.