TPM 1.2 vs 2.0
TPM 2.0 products and systems have important security advantages over TPM 1.2, including:
- The TPM 1.2 spec only allows for the use of RSA and the SHA-1 hashing algorithm.
- For security reasons, some entities are moving away from SHA-1. Notably, NIST has required many federal agencies to move to SHA-256 as of 2014, and technology leaders, including Microsoft and Google have announced they will remove support for SHA-1 based signing or certificates in 2017.
- TPM 2.0 enables greater crypto agility by being more flexible with respect to cryptographic algorithms.
- TPM 2.0 supports newer algorithms, which can improve drive signing and key generation performance. For the full list of supported algorithms, see the TCG Algorithm Registry. Some TPMs do not support all algorithms.
- For the list of algorithms that Windows supports in the platform cryptographic storage provider, see CNG Cryptographic Algorithm Providers.
- TPM 2.0 achieved ISO standardization (ISO/IEC 11889:2015).
- Use of TPM 2.0 may help eliminate the need for OEMs to make exception to standard configurations for certain countries and regions.
- TPM 2.0 offers a more consistent experience across different implementations.
- TPM 1.2 implementations vary in policy settings. This may result in support issues as lockout policies vary.
- TPM 2.0 lockout policy is configured by Windows, ensuring a consistent dictionary attack protection guarantee.
- While TPM 1.2 parts are discrete silicon components which are typically soldered on the motherboard, TPM 2.0 is available as a discrete (dTPM) silicon component in a single semiconductor package, an integrated component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s) - and as a firmware (fTPM) based component running in a trusted execution environment (TEE) on a general purpose SoC.
Firmware-based TPM (fTPM) is a Trusted Platform Modules which is implemented in protected software. It operates using resources and context of a main CPU, so a separate chip is not required. Therefore own dedicated storage is not required.
fTPM relies on operating system to provide access to storage within the OS. Presence of an Endorsement Key (EK) certificate is one of the implications (of not having a own dedicated storage).
Supported applications and features
The following table defines which Windows features require TPM support.
*with reference to: https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/