TPM vs Secure Boot

TPM vs Secure Boot

TPM & Secure Boot both do similar jobs. They protect your system against malware attack and give an added level of protection to your data. The way that they do these jobs are different.

The main difference is that TPM runs with the computer, whereas Secure Boot prevents the computer from even starting if an unsigned, untrustworthy application attempts to load on boot.

TPM provides continuous protect while the computer is running. Secure Boot does it’s job before the computer starts up by preventing it from even starting.

With the announcement in June 2021, of Windows 11 release, one topic has been thrown to the front of discussion within the tech world. What is TPM?

What Is TPM? (Trusted Platform Module)

Windows 11 will require TPM 2.0 as a system requirement in order to install.

TPM has been around for a number of years but this feels like the first time that it is being talked about. (TPM 2.0 is the current industry standard version at the time of this article being written).

In this article, I’ll explain the difference between TPM and Secure Boot.

Digital Signature

It’s important that I clarify first that a Digital Signature is a highly encrypted message that is used in modern technology.

Let’s compare it to a modern-day electronic fingerprint.

Hardware devices and software use this to make a virtual handshake with one another to ensure that each is trustworthy.

The standard is PKI (Public Key Infrastructure). These keys are certified and the encryption level is huge.

You use these (without knowing) every day. Every time you open a web page (with the SSL padlock), you are sending and receiving data from a site using a digital signature.

TPM Explained

TPM comes in many forms. Most commonly it is a hardware module embedded on the motherboard of the computer (PC or laptop).

There are add-on cards available but the manufacturer of you motherboard must support these by adding a firmware (BIOS update) update for you system . Older systems will not likely be supported.

The job essentially of TPM is protect your data and provide a hardware level protection against malware attack. If your computer is lost or stolen, the option to encrypt the data or remotely wipe the drive are possible.

TPM uses digital signatures to protect against data theft or ransomware attack.

Format Types Of TPM

Both types of TPM, dTPM and fTPM must meet the same requirements including verification, certification & vetting to ensure that they can protect their data adequately.

dTPM

Discrete TPM (dTPM) is a tiny module that is built in to the motherboard or on an add-on card that can be added to some motherboards & systems. The firmware (UEFI, BIOS) will already support this module.

fTPM

Firmware TPM (fTPM) is a software upgrade from the motherboard manufacturer which will emulate the TPM process. This is considered less effective than Discrete TPM (the built in modules).

vTPM

Virtual TPM (vTPM) is very uncommon. The effectiveness and capabilities of vTPM’s are currently open for debate.

Secure Boot Explained

There are similarities between the jobs of TPM & Secure Boot.

Secure Boot checks the validity of the operating system before it even loads.

This is a feature that is built in to most modern computer’s UEFI firmware (we used to know as the BIOS).

Secure Boot offers a good level of protection against a type of malware known as “rootkits”.

When the OS (operating system such as Windows or Linux) loads, Secure Boot will check to see whether the OS is digitally signed and verified before it will allow it to load.

This is a great first-line of defence against malware that will load before or with Windows.

Secure Boot will only load the initial files and proceed to boot if it trusts that all files are digitally signed.

Example Of Secure Boot

Rootkit malware will lie to and compromise the system and tell it that it has to load first.

Whatever anti-virus software that you use, could also be ineffective without Secure Boot. Rootkits can tell these programs not to load. However, with Secure Boot enabled, anti-virus software is far more effective. Operating Systems and software that have a digital signature will load first.

If you use genuine anti-virus software (or even built-in Windows Security), it will load prior to the malware, then stop it from running.

With Secure Boot, the OS will only load if it is trustworthy.

Why Now? Why Have Microsoft insisted on this now?

When you compare Windows to other operating systems, Windows is the one that you’d assume that you are most likely to become infected with malware.

Rightly-so, Microsoft want to “raise the bar”.  They have tried in the past to demand that hardware components must meet a specific requirement to install the latest version of Windows. This hasn’t worked out for them before.

Now is the time though. Everyone is talking about privacy, security, online protection. Microsoft have made a bold move. Meet the requirements of security, or you cannot have the latest version of Windows.