For Security, How Bad are TPMs and How Good is the Apple T2 Chip?

The TPM (Trusted Platform Module) chip in your computer is perhaps a forgotten device. It often sits there not doing much, and never quite achieving its full potential. You bought the laptop because it had one, but you just can’t find a use for it. The chip itself is perhaps rather jealous of the Apple T2 chip and which does so much more, and where people actually buy the computer for the things it brings. Few people buy a computer because it has a TPM, but lots of people buy a Macbook and an iPhone because it is trusted to look after your sensitive data.

With a TPM we have moved from TPM 1.2 to TPM 2.0, and the device hosts a basic crypto-processor. This processor is not like the Apple T2 chip, and cannot really do much crypto at scale. In its modern form, it supports RSA and ECC key generation and also SHA-1/SHA-256 signatures, along with generating signatures:

Its main focus is to provide a trusted boot environment, and where it checks from registers that the boot process has not been interfered with. There are also two important key pairs on the device: EK (Endorsement Key) pair and SRK (Storage Root Key) pair. These are typically RSA…