Intel Platform Trust Technology (PTT): TPM For The Masses

In the last few years, Intel® Platform Trust Technology (PTT) has truly arrived. For years, the last word in securing personal computers, industrial PCs, and servers has been the Trusted Platform Module (TPM) specification. TPM established a set of standards and interfaces that enable system makers to bake their digital bona fides into system hardware.

By employing unique cryptographic keys burned into physical media soldered directly onto the motherboard, TPM creates what is known as the “root of trust.” From that foundation, operating system makers like Microsoft can enable secure, whole-disk encryption to lock up data even if a disk is removed, and enable system checks that verify low-level boot code before allowing it to execute.

This model for system security got a face-lift when Intel introduced the Intel Platform Trust Technology (PTT) architecture, which implements TPM in system firmware. To your operating system and applications, PTT looks and acts like TPM. However, the difference between PTT vs TPM is that computers with Intel PTT don’t require a dedicated processor or memory. Instead, they rely on secure access to the system’s host processor and memory to perform low-level system authentication and verification.

The result: PTT is being deployed on low-power PCs, tablets, and other devices that in the past could not bear the additional cost, complexity, power consumption, or required physical space that comes with hardware-based TPM.

Understanding TPM

TPM is currently in version 2.0, and its role has become more vital as cyber threats continue to target the lowest levels of system operation (including the Master Boot Record, system firmware, and operating system files) where traditional anti-malware solutions can be vulnerable.

TPM works by storing protected key information in a tamper-proof chip that includes a unique Endorsement Key baked into the silicon at manufacture (like a digital fingerprint) to authenticate host system hardware. A dedicated cryptographic microprocessor processes key data and verifies the integrity of low-level system assets like boot files and system firmware. If a change is detected, TPM prevents the compromised files or software from loading, halting attacks before they can start.

Implementing TPM in dedicated hardware has a key benefit; TPM isolates the security infrastructure from the host system, making it exceedingly difficult to spoof, tamper, or defeat. However, it also adds cost and complexity to system designs which means that a lot of devices that could benefit from this level of security simply don’t have it.

Inside Platform Trust Technology

That shortfall is changing with firmware-based implementations of TPM. Intel PTT was Introduced in 2013 on select fourth-generation Intel Core processors and chipsets, including Intel Haswell ULT multichip packages, as well as on Atom-based, system-on-a-chip solutions like Bay Trail. PTT enables low-cost and low-power devices to support the same root of trust concepts enabled by hardware-based TPM. Furthermore, it supports all of Microsoft’s latest OS requirements for TPM 2.0.

A similar implementation (ARM’s TrustZone scheme) provides TPM capabilities for low-power, ARM processor-based portable devices like tablets.

And finally, AMD also has their own fTPM implementation, meaning if you purchased a computer in the last few years, there’s a very good chance it has some form of TPM already onboard.

PTT and other firmware implementations of TPM are especially important in the industrial PC space. They let organizations establish the same rigorous levels of security in its compact, fanless systems and devices as it does for desktop PCs, workstations, and servers. PTT-enabled IPCs radically shrink the attack surface for systems that often sit unattended in remote or public spaces.

There was a time when IT managers were forced to choose between IPCs with robust security or compact, low-power designs. Computers with Intel PTT put an end to that need to choose. If you’d like to learn more, download our one-pager (link below) and contact our technical sales team who can answer all your security questions.

Note: This article was originally written on December 20, 2017. It was updated for content on July 06, 2022.