TPM 2.0, PTT and PSP: Everything you need to know

Among the minimum requirements that Windows 11 asks us is the TPM 2.0. Suddenly, it is an important piece for the future of home PC use. But what is the TPM 2.0 asking for Windows 11 And in which Microsoft has suddenly noticed this so recent technology?

What is TPM?

Known as Trusted Platform Module, TPM is a process in which the keys are encrypted in order to offer an additional layer of security to the system. You can store encryption keys to protect information, as well as the general name of the implementations of that specification. It is also known by the international standard name ISO / IEC 11889.

The TPM is a chip that is found in CPUs, but it is deactivated as standard and it is the end user who must decide to activate it. You can do it yourself or by going to a technician.

What does TPM offer us?

  • Modification resistant non-volatile storage. Some of its uses are to store non-migrant keys.
  • Volatile memory to safely store integrity measurements made for reliable computing.
  • A safe random number generator.
  • A series of key generation algorithms.
  • Cryptographic functions such as RSA encryption / decryption and hash functions.
  • Secure integrity measurement and reporting tools, along with their secure storage within the TPM. With this, a verifiable report can be obtained that reflects the integrity of the status of the platform.
  • Data sealing so that it is only accessible if the user is authenticated correctly and if the platform has a certain state of integrity.

This set of functionalities allows us to implement both the RTS and the RTR of reliable computing. It can also be used by the operating system and applications to perform low-performance cryptographic operations. The CRTM provided by the RTM includes a protected pre-BIOS in which the Trusted Software Stack support software also resides. TTS has functions such as providing a standard interface for TPMs from different manufacturers to communicate with the platform or with remote platforms. The union of the CRTM and the TPM form the so-called TBB (Trusted Building Block).

PTT, the TPM protocol on Intel CPUs

For Intel processors, TPM technology is known as PTT, an acronym for Platform Trust Technology. TPM established a set of standards and interfaces that allow system manufacturers to build their digital integrity control systems on system hardware.

By using unique cryptographic keys recorded on physical media soldered directly onto the motherboard, the TPM creates what is known as the "root of trust." From that foundation, operating system manufacturers like Microsoft can enable secure full-disk encryption to lock down data even if a disk is removed, and enable system checks that check low-level boot code before allowing be executed.

This system security model was revamped when Intel introduced Intel Platform Trust Technology (PTT) architecture, which implements TPM in system firmware. For your operating system and applications, PTT looks and acts like TPM. The difference is that terminals with Intel PTT do not require a dedicated processor or memory. Instead, they rely on secure access to the system host processor and memory to perform low-level system verification and authentication.

Thanks to PTT, the TPM protocol is being implemented in low power PCs, tablets and other devices that in the past could not support it. This was due to the additional cost, complexity, power consumption, or physical space required that comes with the hardware-based TPM.

Intel CPUs with TPM 2.0

  • Coffee Lake, Intel's 8th generation CPUs
  • Coffee Lake Refresh, Intel's 9th generation CPUs
  • Comet Lake, Intel's 10th generation CPUs
  • Ice Lake, Intel's 10th generation CPUs
  • Rocket Lake, Intel's CPUs from 11th generation
  • Tiger Lake, Intel's 11th generation CPUs
  • Intel Xeon Sky Lake SP
  • Intel Xeon Cascade Lake SP CPU
  • Intel Xeon Cooper Lake SP
  • Intel Xeon Ice Lake SP Series

PSP, the TPM protocol in AMD CPUs

At the other end of the spectrum from Intel's CPUs is that of AMD, which instead of using Platform Trust Technology, uses Platform Security Processor (PSP, not to be confused with Sony's first portable console, was the PlayStation Portable). For practical purposes for the home user, there is no special difference between Intel's PTT and AMD's PSP as they both comply with the TPM security protocol.

The AMD Platform Security Processor (PSP), officially known as AMD Secure technology, is a trusted runtime environment subsystem built into AMD microprocessors since about 2013. According to an AMD developer guide, you are responsible for creating, monitoring, and maintaining the security environment. Its duties include managing the boot process, initializing various security-related mechanisms, and monitoring the system for any suspicious activity or event and implementing an appropriate response.

The PSP itself represents the ARM kernel with the TrustZone extension which is introduced into the main CPU as a coprocessor. Proprietary AMD signed PSP firmware is redistributed via ordinary UEFI image files, so it can be easily parsed. Its kernel itself runs before the main CPU and its firmware boot process begins just before the basic UEFI loads. The firmware runs within the same system memory space as user applications with unrestricted access, including MMIO.

AMD CPUs with TPM 2.0

  • AMD Ryzen 2000 Series CPUs
  • AMD Ryzen 3000 Series CPUs
  • The AMD Ryzen 4000 CPU Series
  • AMD Ryzen 5000 Series CPUs
  • AMD Ryzen Threadripper 2000 Series CPUs
  • AMD Ryzen Threadripper 3000 Series CPUs
  • AMD Ryzen Threeripper Pro 3000
  • 2nd Gen AMD EPYC
  • 3rd Gen AMD EPYC Series CPUs

TPM 2.0 in Windows 11 and what it represents

Why Microsoft wants to force you to use TPM 2.0

The quickest and easiest answer is simply for security and standardizing security on Windows-based computers. be it servers, personal computers, high-end tablets ... They want everyone to have greater security, and among other objectives, lower the numbers of malware and attacks that devices with the most widespread operating system in the world have.

What can I do to have TPM 2.0 on my PC?

First, check if the CPU of your computer, server or tablet is in the lists of CPUs with TPM 2.0 protocol that we have put. Most likely, if you have one of those CPUs, you have it disabled as standard since the manufacturers do not activate it and leave it in the hands of the users.

But the TPM 2.0 protocol has not been introduced until 2016, relatively recently, so if your CPU is more than four years old, it is most likely that it does not have it and you have to renew it (something difficult with the current one component shortage) or buy an adapter that hardware-fits the protocol, but these have been upgraded shortly after the Windows 11 requirements were released.

How to activate TPM 2.0 of our CPU

If we are sure and confirm that our CPU has version 2.0 of the TPM protocol, we proceed to the next series of steps.

  1. We access the BIOS of our PC by pressing the corresponding key during the computer startup, which will be indicated to us during startup. If we have Windows 10 through UEFI, we access the BIOS from the Settings app. Going to the “Troubleshoot” section, then to “Advanced options” and finally to “UEFI firmware configuration” to then confirm the system restart.
  2. Depending on the manufacturer, we go to the Security section.
  3. We access Trusted Computing
  4. We look for the Security Device Support option and activate it. For Intel CPUs, this will be the “Intel Platform Trust Technology” option; while that of an AMD CPU will be “AMD fTPM Switch”

These steps may vary depending on the motherboard. These are general indications to activate the TPM 2.0 protocol on your computer in a simple way and without having to go to technical service.

We will also be asked for Secure Boot if we want to install Windows 11, another option disabled by default in CPUs. For this, we start the BIOS of our motherboard as we discussed in the previous section.

  1. We go to the advanced options section, or within the "Boot" section depending on the motherboard we have.
  2. Click on the “Windows OS Configuration” option.
  3. We check that in “BIOS UEFI/CSM Mode” put “UEFI”.
  4. We click or select “Secure Boot”.
  5. Click on "Secure Boot Mode" and choose "Custom".
  6. We accept the warning about security keys.
  7. Click on “Enroll all Factory Default Keys” so that the secure boot keys are established.
  8. Click on “Secure Boot” and choose “Enabled”

After all this, we save the changes made. With all this, our PC should be ready with the TPM 2.0 protocol, in addition to the Safe Boot to install Windows 11.

Show more

Benjamin Rosa

Madrileño whose publishing career began in 2009. I love investigating curiosities that I later bring to you, readers, in articles. I studied photography, a skill that I use to create humorous photomontages.

Related publications

A comment

  1. You have forgotten to mention that for the PC to boot with the UEFI activated, it needs that the hard disk partition where the operating system is installed, be in GPT, to be changed from MBR to GPT. Otherwise, the operating system will not boot. I leave a link. About this.

Leave your comment

Your email address will not be published. Required fields are marked with *

Button back to top