I am looking to deploy new infrastructure, and I am seeking competitive information on which processors provide security features such as TPM.
As I know that AMD has provided this in the past via firmware as an attachment to its' processors and chipsets, is this something which the AMD Ryzen processors are now providing as an integrated solution, or is this still firmware?
Regards,
Kyle Manel
In particular I am curious about the AMD Ryzen mobile CPUs and chipsets
I'd like to know the same thing. I am currently building a new high end Threadripper 2950x or the 2990WX video and content creation computer for my NEW YouTube channel, etc. I have not (knowingly) used a physical TPM v2 before. I am also using the ASUS ROG STRIX X399 motherboard. ANY and all info about what I (may) be getting into would be appreciated. Is a physical TPM still a good idea? What are the cons to it? Does it add anymore complexity to using the computer on an everyday basis? Does it play well with Win10? I'd like to know the good, bad, pretty and ugly before installing this! If it makes any difference I will be using DaVinci Resolve 15.
Thanks!
I can answer a few of those questions for you, though I am still in-the-dark on the OP.
A TPM requires software to implement it. A TPM is implemented pre-boot, as well as within the OS, so it can be hardware agnostic, and it can add complexity, but predominantly due to initial configuration; Once the TPM is deployed there is no significant additional complexity aside from regularized maintenance scheduling.
Is a physical TPM still a good idea?
That depends on your use-case and the cost associated. a TPM protects key use and transmission through hardware to SIGNIFICANTLY increase processing speed of crypto processes. It generates, stores and limits the use of cryptographic keys to necessity; instead of shouting out the key any time it may be necessary, it is triggered by specific events. It can be used to authenticate platform devices themselves, such that new devices cannot be added maliciously (or on a whim).
It can also protect the computer from picking up mischievous boot processes which may attempt to hamper or out-right alter the boot process (to load itself or another application as active on boot).
In Windows 10 specifically, the OS is designed to take ownership of the TPM; There can be times where the key should be altered outside of the management through Win10, but these are infrequent, and usually revolve around resetting a PC... This has generally been deemed by M$ and the world at large as needless and risky, and M$ has suggested (because they are oft' whimsical with their decision making), that they will no longer be developing their TPM management console, presumably because the devices APIs are (already) available.
It can also be recognized as a replacement for smart card authentication/authorization.
TPM is a requirement for the use of BitLocker, various devices which may require encryption enabled in TPM2.0.
TPM can be used to store certificates in Windows 10.
Lastly, a TPM can also be used to route malware at boot, because it measures the (legitimate) OS, and can validate the integrity of a computer running Windows 10/Server2016.
Note that it is deliverable in Linux as well, I am just less versed in its implementation. Ultimately a TPM is used as a protection/shield around keys used by the OS via hashing, (sha-256), and its boot process itself.
The values of TPM, while numerous are predominantly based in security and key implementation in Windows 10;
It can be used in Windows Hello (fingerprint and dynamic lock do and other authentication devices may use it). It can secure the PIN to log into Windows, helps protect passwords via encryption.
It essentially is used to protect a system against itself at a hardware level, such that malignant programs cannot be deployed on the system; it can also be a significant protection against ransomware, though not in all cases (because of the measurements it takes of the OS).
Also, regarding your other questions;
What are the cons to it?
Cost; As a TPM is an optional feature in regular implementation it has no significant cons, however it being a security device has been acknowledged as making some attacks easier, while increasing the complexity of most;
https://www.google.com/search?q=tpm+vulnerabilities&rlz=1C1CHBF_enCA807CA807&oq=tpm+vulnerabilities&...
Does it add anymore complexity to using the computer on an everyday basis?
Yes, certainly, but it also provides ease-of-use, so its a mixed bag; Ultimately though because of the features that can be added, notably Windows Hello, it adds convenience to the user where they would otherwise require more complex security to meet the same results.
Does it play well with Win10?
Windows 10 is often providing features for TPM chips, but naturally the compliance of any device is dependent on its own manufacturer, not M$.
Note that vulnerabilities can be resolved through firmware updates, so this is a moving finish-line, so-to-speak.
i know that previous generations had TPM but for whatever reason on my x570 5600x tpm is on in bios but its not setting up....is there no tpm on the 5000 series this time around? cant find info ANYWHERE?
AMD doesn't seem to publish which processors support fTPM via BIOS update. I couldn't find any list.
I suggest you all open a AMD Service Request (Official AMD SUPPORT) and ask them which AMD's new 5000 series processor has BIOS support for fTPM from here : https://www.amd.com/en/support/contact-email-form
I do know that if a Motherboard has a hardware TPM port you don't need to have fTPM via CPU to run that feature. But if a Motherboard doesn't have a TPM Port then you will need to use fTPM via CPU to run that feature.
im unaware exactly what your trying to say with that. but i do know if i turned tpm off in bios on all my other processors from amd rather that be the 1600af the 3600x and i believe the 2400g it wouldn't show, and claimed no tpm was present and would link me to how i could go about getting one or tell me to upgrade to win 10 pro for bitlocker. but seeing how its on in the bios, and i asked on the amd reddit support page a fellow 5600x owner responded and said they can confirm to have tpm showing in device manager and is not hidden by default. so with that being said, id have to assume amd included it with these, as pluton or whatever its called is hardware encoded as in, it will be installed inside the cpu during manufacturing i do believe. probably wrong i just seen some stuff about it the other day.... i do know i made a noob mistake and dropped the cpu ever so slightly bending 3 pins or so in which i got them straightened back out and thus is the same cpu im using now. all core oc, 2000fclk no issue super low working voltage for an all core oc at 1.23v, passes prime 95, occt, ect...besides the real issue.... kinda worried that may be the actual cause. then again this os has had 2 other cpus tied to it. but i have uninstalled most drivers thru device manager thats labeled 3600x 1600 ect. (did the same when coming from 1600 to 3600 didnt have this issue) i have not uninstalled the TPM driver inside device manager as i would have assumed it would auto config itself to do whatever it needed to do by itself.
to clarify tho, i have already wrote amd and asked. i have yet to receive any response. and finding the actual email spot to where one can write and ask a question on amd website is kinda hard.... clicking contact us just doesnt do it...i forgot how i actually got to it. but yea already asked, no answer. got answered from another user on another amd support spot something up with my chip, board, or perhaps my bios revision.. then again the user who responded to me is using an older bios than i.
(SOLVED) was bios related. unsure why tho. but rev.C was a no go. downflashed to b and worked but no ram support for even XMP on a tforce 3200c14 kit which does 4000 fclk 2000 on revC c15 timings super tight subs. instead i tried rev D1 for my board and TPM is now set up and working and i have pretty good overclocking headroom on ram. so if anyone else has this unknown random problem. FLASH YOUR BIOS AGAIN!
Not sure if you were responding to my original reply about TPM but glad, at least, in your case downgrading your Motherboard BIOS got TPM to work correctly again.
As to my previous reply about TPM, Some Motherboards has a TPM Port where you can physically connect a TPM hardware to do the same thing as a software TPM (fTPM via BIOS) by using a CPU processor.
For instance my Motherboard 570X has a TPM port on it: 1 x SPI TPM header
All I have to do is purchase a TPM hardware and plug it into that slot for TPM security.
Something like this at Amazon:
With this I don't need to enable TPM using my processor.