Asus tpm module. Best Trusted Platform Modules (TPM) 2021

Use saved searches to filter your results more quickly

You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session.

jeffqchen/DIY-Asus-TPM-M-r2.0-Module

This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Sign In Required

Please sign in to use Codespaces.

Launching GitHub Desktop

If nothing happens, download GitHub Desktop and try again.

Launching GitHub Desktop

If nothing happens, download GitHub Desktop and try again.

Launching Xcode

If nothing happens, download Xcode and try again.

Launching Visual Studio Code

Your codespace will open once ready.

There was a problem preparing your codespace, please try again.

Files

Failed to load latest commit information.

README.md

It’s kinda hard to find those TPM modules that no one knew they needed. UNTIL Windows 11 happened. So here’s one in case you need it.

There are many variants, so please use this as a reference to create your own.

2 mm pitch double row right angle pin header. Choose the 2×7 option

4x 100nF 6.3V 0603 SMD capacitors

2x 10K Ohm 0603 SMD resistors

Note: You do NOT have to follow the links I used. The specs are pretty laid out so you can source your own parts if you prefer.

3D Printed Shell (Optional)

• Print with the text facing upwards
• Suggested layer height: 0.16mm.
• Suggested line width: 0.35mm.
• Uses two 6mm M2 screw and nut.

You have to know how to solder VERY well. Experience in soldering TSSOP and SMD components is required.

Note the pin header should be keyed. You can cut a piece of the compatible pin and stuff it into the hole on the bottom row, the 3rd one from the right.

Note: if you are an amateur on soldering, this might not be a bad project to learn how to solder, since everything is quite affordable. Learn how to pre-tin SMD pads for caps and resistor, how to tack a chip in place, and then drag solder alone one side, then the other. We all have to start from somewhere.

Jam it onto your motherboard with power turned OFF (I don’t have to teach you the basics, right?) For my motherboard, once booted into the BIOS, the chip is automatically recognized and ready to go. Windows 10 also recognized it without any fuss.

Updating TPM Chip Firmware

The firmware version on the chip might be quite out-dated and requires an update to work properly with Windows. Please refer to the following guides on how to update the firmware on your TPM chip:

Note: It is possible that your chips might come with a rare firmware version and no update could be found. You might have to find a different seller and try your luck if that’s the case.

Best Trusted Platform Modules (TPM) 2021

Microsoft confirmed with the official launch of Windows 11 that a Trusted Platform Module (TPM) 2.0 will be a soft requirement. It’s still early days and we’re not entirely just how this requirement will be enforced, but most PCs should be okay to meet this requirement. If for some reason your PC doesn’t support TPM and you want to get ahead of the game to support Windows 11, we’ve rounded up some TPM add-ons for compatible boards. This is required only if you cannot activate TPM through the UEFI BIOS.

For Asus motherboards

This TPM 2.0 module is designed by Asus for its Intel motherboards. Please make sure your motherboard has a TPM header.

For ASRock motherboards

This TPM 2.0 module is designed by ASRock for its Intel motherboards. Please make sure your motherboard has a TPM header.

For MSI motherboards

This TPM 2.0 module is designed by MSI for its Intel motherboards. Please make sure your motherboard has a TPM header.

Choosing the right TPM

Why you can trust Windows Central

Our expert reviewers spend hours testing and comparing products and services so you can choose the best for you. Find out more about how we test.

It’s important to check with your motherboard manual to make sure you actually have a TPM header to install one of these security modules. It’s also important to remember that most CPUs and motherboards released in the past few years should support Windows 11 out of the box. You can activate TPM through the UEFI BIOS on most platforms. These modules should be considered a last resort (or if you feel hardware security trumps all).

We don’t recommend mixing TPMs and motherboards. If you own an Asus motherboard with a TPM header, it’s best to use the Asus TPM alone. The same goes for other motherboard manufacturers. If you’d rather buy a new motherboard and be certain you’re ready to go, we’ve rounded up the best motherboards for the latest AMD and Intel CPUs.

Do I need a Trusted Platform Module?

Probably not. We’re still not sure how hard a requirement Microsoft will make TPMs. If your motherboard and CPU combo support firmware-based TPM, you’ll be good to go with Windows 11. All that’s required is a few changes to your UEFI BIOS and Windows should be able to run just fine.

A physical TPM is required only if your PC does not support TPM without a physical add-on module present.

Get the Windows Central Newsletter

All the latest news, reviews, and guides for Windows and Xbox diehards.

By submitting your information you agree to the Terms Conditions and Privacy Policy and are aged 16 or over.

Rich Edmonds was formerly a Senior Editor of PC hardware at Windows Central, covering everything related to PC components and NAS. He’s been involved in technology for more than a decade and knows a thing or two about the magic inside a PC chassis. You can follow him on at @RichEdmonds.

How to enable TPM and Secure Boot in BIOS for Windows 11

Windows 11 requires TPM 2.0 and Secure Boot enabled to install, and here are the steps to enable the security features on your computer.

If you plan to upgrade to Windows 11, you must first check and enable TPM 2.0 and Secure Boot in the BIOS (UEFI) of your computer’s motherboard (from Asus, Dell, MSI, GigaByte, etc.) as part of the preparation.

On Windows 11, one of the most significant changes is the requirement for Trusted Platform Module (TPM) version 2.0 and Secure Boot. According to Microsoft, TPM 2.0 and Secure Boot are needed to provide a better security environment and prevent (or at least minimize) sophisticated attacks, common malware, ransomware, and other threats.

TPM is a piece of hardware, usually (but not always) integrated into the motherboard, which offers a secure environment to store and protect the encryption keys when encrypting the hard drive using features like BitLocker. On the other hand, Secure Boot is a module that ensures that the device boots only using the software that the manufacturer trusts.

This guide will teach you the steps to check and enable TPM 2.0 and Secure Boot to install Windows 11. (See also the steps to enable these two security features on VMware Workstation and Hyper-V to run the new OS on a virtual machine.)

Check if TPM 2.0 is present for Windows 11

To determine if TPM is enabled for Windows 11, use these steps:

If the computer includes a TPM chip, you’ll see the hardware information and its status. Otherwise, if it reads “Compatible TPM cannot be found,” the chip is disabled on the UEFI, or the device doesn’t have a compatible Trusted Platform Module.

Enable TPM 2.0 in BIOS for Windows 11

To enable TPM 2.0 in the BIOS to fix the Windows 11 installation, use these steps:

• Open Settings.
• Click on Update Security.
• Click on Recovery.
• Under the “Advanced startup” section, click the Restart now button.
• Click on Troubleshoot.
• Click on Advanced options.
• Click the “UEFI Firmware settings” option.
• Click the Restart button.
• Click the advanced, security, or boot settings page, depending on the motherboard.
• Select the TPM 2.0 option and choose the Enabled option.

If the motherboard doesn’t have a TPM chip and you are running an AMD processor, the module it’s may be built into the processor, and the option will appear as “fTPM” (firmware-based TPM 2.0) or “AMD fTPM switch.” If the device is an Intel-based system, TPM 2.0 will be available as Platform Trust Technology (PTT).

If the computer does not have a TPM option and this is a custom build, you may be able to purchase a module to add the support. However, you want to consult the motherboard’s manufacturer’s website to confirm that the support exists.

After you complete the steps, the Windows 11 check should pass, allowing you to upgrade the computer to the new OS.

Check if Secure Boot is present for Windows 11

To determine whether Secure Boot is enabled on the computer, use these steps:

• Open Start.
• Search for System Information and click the top result to open the app.
• Click on System Summary on the left pane.
• Check the “Secure Boot State” information and confirm the feature is turned “On.” (If not, you need to enable the option manually.)

Once you complete the steps, you can continue with the Windows 11 installation if the security feature is enabled. Otherwise, you must follow the steps to enable it inside the UEFI firmware.

Enable Secure Boot in BIOS for Windows 11

If your computer uses the legacy BIOS, you first need to convert the MBR drive to GPT, switch to UEFI mode, and enable Secure Boot. Otherwise, the computer will no longer boot if you enable the newer firmware. If you are trying to perform a clean installation, you can skip the conversion, but this is a requirement if you are trying to upgrade from the Windows 10 desktop.

To enable Secure Boot in the BIOS firmware, use these steps:

• Open Settings.
• Click on Update Security.
• Click on Recovery.
• Under the “Advanced startup” section, click the Restart now button.
• Click on Troubleshoot.
• Click on Advanced options.
• Click the “UEFI Firmware settings” option.
• Click the Restart button.
• Click the advanced, security, or boot settings page, depending on the motherboard.
• Select the “Secure Boot” option and choose the Enabled option.

Almost every device with UEFI firmware will include Secure Boot, but if this is not the case, you will need to upgrade the system or consider getting a new computer that meets the Windows 11 requirements.

After you complete the steps, the computer should pass the hardware verification process to proceed with the in-place upgrade or clean install of Windows 11.

We may earn commission for purchases using our links to help keep offering the free content. Privacy policy info.

All content on this site is provided with no warranties, express or implied. Use any information at your own risk. Always backup of your device and files before making any changes. Privacy policy info.

Since you are here.

I’ve got a small favor to ask. This is an independent site, and producing content takes a lot of hard work. Although more people are reading Pureinfotech, many use adblocker. Thus advertising revenue is falling fast. And unlike many other sites, there is no paywall blocking readers here. So you can see why your help is needed. If everyone who finds this website useful and helps to support it, the future would be much more secure. Thank you.

If you use adblocker, please disable it for this site.

125 raised so far by 11 people.

Understanding BitLocker TPM Protection

Investigating a BitLocker-encrypted hard drive can be challenging, especially if the encryption keys are protected by the computer’s hardware protection, the TPM. In this article, we’ll talk about the protection that TPM chips provide to BitLocker volumes, and discuss vulnerabilities found in today’s TPM modules.

What is TPM

Trusted Platform Module (TPM) is a standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. On a physical level, the TPM might be implemented as a built-in chip, an additional module one can install into a slot on the desktop motherboard, or as a virtual emulator (the Intel PTT technology).

Infineon Optiga TPM chips:

Standalone TPM module for Asus motherboards:

The platform consists of a secure cryptoprocessor and a small amount of built-in memory. The main functions of TPM are the generation, storage and secure management of cryptographic keys; in particular, the BitLocker keys. The operating system must provide APIs for developers for accessing the TPM, and uses TPM to manage encryption keys.

In this article, I will talk about the role of TPM in BitLocker encryption.

When Windows developers were designing the disk encryption scheme, they attempted to counter the following threats:

• Signing in to the user’s account without valid authentication credentials
• Moving the hard drive to a different system for analysis
• Altering the computer’s configuration for gaining access to the data
• Running an alternate OS for gaining access to the data

The top priority, however, was that the protection was as transparent and as unobtrusive to the user as possible. Ideally, the user would never notice the encryption; this goal has been achieved. For those who need extra protection against additional threats, the developers allowed specifying a pre-boot PIN code or adding other types of protectors (e.g. a physical smartcard or USB drive).

How BitLocker works

BitLocker makes use of symmetric encryption. By default, AES-128 is used to encrypt data in either XTS (new) or CBC (legacy) mode. The data is encrypted with VMK (Volume Master Key), which in turn can be obtained in one of the following ways:

• Decrypted with the user’s encryption password, if this protector is enabled for a given volume.
• Decrypted with a Recovery Key. The Recovery Key is generated automatically once the encryption is enabled for the first time. The key is then either stored to a file, uploaded to the user’s Microsoft Account of saved in Active Directory.
• (You are here) Extracted from the TPM module when certain conditions are met.

This is how Bitlocker communicates with TPM:

The basic principle of TPM is very similar to blockchain. During the boot, the system builds chain of trust, which is stored in PCR (Platform Configuration Register) registers.

This is what happens when the computer boots:

• Power on. SRTM (Static root of trust for measures) is the first trusted module is loaded. This module is stored in the computer’s ROM, and cannot be altered. A vulnerability in this module breaks the entire protection scheme, which was clearly demonstrated by the developers of the checkm8 exploit for iOS devices. SRTM inserts the first record into the chain of trust by calculating the hash value of the computer’s BIOS. The hash is stored in a PCR register.
• UEFI BIOS loads. The BIOS analyzes the computer’s configuration including the hard drive partitioning, the MBR (Master Boot Record), bootloader and many other parameters including firmware checksums of certain components (e.g. fingerprint readers or smartcard readers). Notably, the value of the previous PCR register is used to calculate new hash values, which means that any modification of a single PCR register breaks the entire chain.
• After filling out several PCR registers, BIOS loads the bootloader from the MBR. The bootloader inserts a few more records.
• Finally, the OS kernel starts. The kernel keeps adding to the chain of trust.

As you can see, once the OS is finally loaded, the PCR registers contain the entire chain of trust. Note that the TPM module does not allow modifying PCR registers; one cannot alter existing records, only add new ones.

BitLocker encryption

Once the user enables BitLocker on a disk volume, Windows generates a random volume master key (VMK) as well as a recovery key. The master key is then stored in the TPM module; it is also encrypted with the recovery key. The encrypted VMK is then saved in the disk header. Once the computer is rebooted, the following happens:

• All PCR registers are zeroed out.
• The system follows steps 1 through 4 described earlier.
• The OS kernel attempts unlocking the encrypted volume and requests the VMK from the TPM module. The TPM module in turn analyzes the chain of trust by checking PCR registers. If the chain of trust is corrupted, the VMK is not released; the OS kernel than displays a message requesting the user to unlock the volume with a Recovery Key.

As you can see, if the computer is powered off, the only way to obtain the VMK is by launching the original OS in its original configuration. Altering a single component will trigger the prompt for Recovery Key.

Bypassing TPM

Most often than not, you are analyzing a ‘cold’ system. If this is the case, make sure to capture the disk image before everything else. You can use Elcomsoft System Recovery to do that. Before taking the image, you’ll be able to see the list of disk partitions along with their encryption settings. If the tool reports that the disk is encrypted with BitLocker but the password hash cannot be extracted, you’ll have to either use the Recovery Key or attempt to extract the VMK from TPM.

Extracting Volume Master Key from RAM

If you are able to sign in to the computer, you may attempt capturing its memory image. By analyzing the RAM image with Elcomsoft Forensic Disk Decryptor you may be able to discover the master key and decrypt the volume without any other attacks. This, however, will not be possible if the user specified a pre-boot protector such as an extra PIN code (TPMPIN). If you attempt to brute-force the PIN, the TPM will panic and lock access to the encryption key either permanently or for a period of time.

While you may prefer live system analysis to capturing the encryption key and decrypting the disk image, offline analysis is significantly more forensically sound even if labor-intensive.

Cold boot and FireWire/Thunderbolt attacks

The fact that TPM releases the VMK at an early stage allows for a quite unique attack often called the ‘cold boot attack. This attack is based on the fact that the computer’s memory chips retain their content for several seconds after being powered off. However, if cooled to sub-zero temperatures, the modules will retain data for much longer. During the cold boot attack, you would start the computer and wait while the system boots up. By the time the computer presents the login prompt, the BitLocker volume would be already mounted, and the VMK decrypted and stored in the computer’s RAM. You would then cool the RAM modules with a commercially available refrigerant spray, immediately remove the modules, install them into the test computer and boot it into a Linux image with LiME kernel extension. You can then dump the memory image and scan it with Elcomsoft Forensic Disk Decryptor for BitLocker encryption keys.

A similar attack is available for older systems running Windows 7 and Windows 8 if they are equipped with a FireWire or Thunderbolt port or a PC Card slot. If this is the case, you can attempt capturing the memory dump with the infamous Inception tool (yes, it’s “that Python tool”). A memory dump made with Inception can be loaded into Elcomsoft Forensic Disk Decryptor and scanned for the master key. The VMK be then used to either completely decrypt the disk image or mount it for faster analysis.

Unfortunately, this method is only available on older systems running Windows 7 or Windows 8. Windows 8.1 already fixes the vulnerability by disabling DMA via Thunderbolt when the computer is sleeping or locked.

The Sleep Mode attack

In 2018, researchers Seunghun Han, Wook Shin, Jun-Hyeok Park, and HyoungChun Kim from National Security Research Institute published a paper named A Bad Dream: Subverting Trusted Platform Module While You Are Sleeping (PDF). When the computer enters the energy-saving sleep state, the TPM saves its PCR registers in NVRAM, and restores them when the computer wakes up. The researchers discovered that, at this brief moment, the PCR registers can be manipulated, thus reading the chain of trust or modifying its content. The researchers notified major motherboard manufacturers such as Intel, Lenovo, Gigabyte, Dell, and HP, who in turn patched the vulnerability in BIOS updates. However, since few users install BIOS updates, there are many computers still vulnerable to this exploit.

Seunghun Han released two tools: Napper for TPM and Bitleaker. The first tool can be used to test the computer’s TPM chip for the “Bad Dream” vulnerability, while the second tool is the actual exploit one can run if the TPM module has the unpatched vulnerability.

The second tool requires manually creating a Live CD with Ubuntu, compiling and installing Bitleaker according to the manual. You will need to disable Secure Boot to run the tool. The alternative way would be signing the modified bootloader and kernel with your signature and adding the public key to BIOS; this, however, defies the purpose as it alters the content of PCR registers.

Intercepting TPM signals

TPM modules are connected to the computer via the LPC (Low Pin Count) bus. This bus is used to carry data between “slow” devices, such as the serial ports. It operates at the frequency of 33 MHz. Denis Andzakovic claims that, by default, Microsoft BitLocker protected OS drives can be accessed by sniffing the LPC bus, retrieving the volume master key when it’s returned by the TPM, and using the retrieved VMK to decrypt the protected drive.

For TPM 1.2, he used the DSLogic Plus logic analyzer with USB interface. However, he found it to be far from perfect for sniffing TPM traffic as he had to solve synchronization problems and even patch the firmware. However, he was able to successfully extract the VMK from the TPM module.

Sniffing TPM 2.0 was way easier with a cheap FPGA Lattice ICEStick and a specal firmware designed for sniffing TPM modules.

All he needed to do was soldering the pins, enabling the sniffer and obtaining the master key. on that in Denis’ original article. Note that desktop motherboards with add-on TPM chips are even easier to sniff with no soldering required.

This method works in BitLocker’s default configuration. If the user enables pre-boot authentication with a PIN code, the PIN code will be required to make TPM release the VMK. This method will not work for Intel PTT as there is no physical access to the module’s interface.

Connecting to the TPM chip:

Conclusion

Combined with TPM, BitLocker enables secure protection against unauthorized access. Despite the fact that the TPM chip itself does not do encryption, gaining access to the encryption key is not an easy task. I described a number of methods that can be used to extract the encryption keys from the TPM module. Even if you never use any of them, they are certainly worth being part of your arsenal.