2

I'd like to have a list, where i can see supported CPU/MB generations (not concrete models), goes into technical details what kind of TPM (fTPM, dTPM) is required.

Going into detail of technical reality of these MB/CPUs, and if i need a discrete TPM card or if the CPU/MB generation has an embedded/firmware TPM.

Sadly, the list from Microsoft is quite limited: "8th Gen Core an newer".

juwens
  • 372
  • 3
  • 9

1 Answers1

5

Glossary:

  • TPM: Trusted Platform Module. A Hardware in a modern Windows Computer, which can be used/utilized for security:
    • directly by the OS (Windows and Linux)
    • by other Hardware, as Intel TXT/SMX
  • dTPM: discrete TPM 1.0/1.2 or 2.0; a module you (Plug) or the OEM (Plug or solder) needs to add to your main board, usually proprietary modules via a 13, 15, 17, 19 Pin connector (pre 2015)
  • fTPM: Firmware TPM; is always TPM 2.0 compatible. A module embedded into the CPU or Chipset. (from 2015 to this day) No need for a dTPM on the mainboard anymore. But dTPM can be used too.
  • Intel TXT/SMX: a Intel CPU Extension which utilizes a separate dTPM or fTPM; TXT/SMX does not contain an fTPM or dTPM
  • Intel PTT: intels Hardware implementation of fTPM; embedded/integrated in the Chipset since LGA 1151 (anno 2015)
  • AMD PSP: Platform Security Processor, AMDs umbrella Term for any of the Intel equivalents to TXT/SMX, PTT, fTPM, Intel ME
  • TPM 2.0: (usually) includes support for 1.0 and 1.2
  • TPM 1.0/1.2: old TPM spec. (Pre 2013)

There are three options:

General Intel AMD
mostly no hw-support for a dTPM
not able to run Windows 11		 pre 2013
Not officially supported, but should work with Windows 11, if you buy/have a dTPM with TPM 2.0 support

A lot of the Mainboards have a proprietary socket for a dTPM

A dTPM (or alternatively fTPM) is required!
The TPM itself is not included, but may be present. Plugged/soldered on the MB by OEM or the user

If you have a dTPM you should be able to enable it in BIOS/UEFI and run Windows 11.

You should be able order a dTPM for your specific mainboard. Look in the manual for the correct PIN count		 since 2013

separate dTPM required

None of the LGA1150 (aka. 4th and 5th Gen Core CPU) Chipsets (H81, C222, B85, C224, Q85, Q87, C226,H87, Z87) and prior have PTT support, hence no embedded/integrated fTPM		 since 2016/2017

- separate dTPM required
- no embedded fTPM

this concerns Zen (1fst gen)/Ryzen 1000 Mainboards
official windows 11 support.
a fTPM module embedded/integrated into the CPU or Chipset		 since 2015

fTPM (which Intel calls PTT) included in every Chipset (except C236)

All LGA1200 (8/9/10/11th gen core CPU) with 400 and 500 chipset have PTT support

All (except one) of the LGA1151 (6/7th gen Core cpu) Chipsets (100, 200, 300, except C236) have PTT support		 since 2018

fTPM included in every SOC/CPU

Socket AM4, "Zen+" (Ryzen 2000), "Zen 2", "Zen 3" and newer contain an embedded fTPM

Examples for dTPMs you should be able to buy and use it to upgrade your PC:

PS:

Side note:

  • UEFI is required
  • CSM needs to be disabled (CSM="Compatibility Support Module" an option on many UEFI Mainboard to emulate BIOS Boot)
  • boot disk needs to be GPT (CSM/BIOS Mode implies MBR; Windows 10 contains the tool MBR2GPT which converts your disk from MBR to GPT within seconds and without dataloss)

My Experience:

I have a 4th Gen Intel CPU (E-1230 v3) with H87 chipset, so no fTPM. I I bought the appropriate dTPM from my Mainboard manufacturer. Upgraded the BIOS/UEFI to the latest beta Version. And voila TPM 2.0 is available in Windows..

I also needed to:

  • convert my disk from MBR to GPT with MBR2GPT.exe
  • disable CMS mode in UEFI
juwens
  • 372
  • 3
  • 9
  • 1
    The OS can utilize discrete TPMs without any special CPU support -- it directly uses the SPI or I2C bus, not special CPU instructions, so it doesn't need CPU-level TXT/SMX support for that. It's the motherboard firmware that needs support for TPM initialization (which has different requirements for 1.2 vs 2.0 as well). – u1686_grawity Jun 27 '21 at 11:58
  • Thanks for the comment, i'll investigate that topic. Apparently both ways (direct access from software/OS and indirect acces via TXT/SMX) are possible. "The Intel® TXT architecture also provides extensions that access certain chipset registers and TPM address space." from https://www.intel.com/content/dam/www/public/us/en/documents/guides/intel-txt-software-development-guide.pdf – juwens Jun 27 '21 at 12:10
  • That seems like the "indirect access via TXT" is just so that the CPU itself could implement TXT-related features; it doesn't seem to duplicate the regular TPM services available via direct access (such as data sealing and key storage). – u1686_grawity Jun 27 '21 at 12:42
  • Frankly an exhaustive list is impossible. One of my newer machine's is a 'supported' AMD machine where I can't turn on the fTPU cause there's no option in the bios. There's also a fair number of folks in a bios hacking forum I'm looking at for info trying to 'mod' their systems into working. And There's a few software TPU options that might end up being an option for getting this to work with sufficient demand. – Journeyman Geek Jun 27 '21 at 12:58
  • I see people are already publishing instructions how to doctor the install ISO to by-pass the TPM check. – Michael Harvey Jun 27 '21 at 13:09
  • @user1686 thanks for your suggestions, i think i've understood it and removed the text which indicated TXT is necessary. – juwens Jun 27 '21 at 13:47
  • 1
    @MichaelHarvey - How you bypass the TPM requirement for an leaked Insider Preview build, is very likely, irrelevant to a formal Insider Preview build or more importantly the eventual RTM build. – Ramhound Jun 27 '21 at 17:17
  • I installed the 21996.1.210529-1541 ISO into a new VirtualBox VM on a host with an i7 4790 cpu which is supposed to be too old, and it installed runs just fine. – Michael Harvey Jun 27 '21 at 18:00
  • @JourneymanGeek Assuming it isn't a laptop, does your M/B have a pin header for a TPM module? (If you can find one for less than $200 as of a few days ago.) The TPM requirement could end up being applicable only to OEMs, and the supported CPU list could be a work in progress. – Andrew Morton Jun 27 '21 at 20:32
  • It's a SFF machine similar to an NUC I got off AliExpress. Apparently my best bet is hacking the bios . No tpm header and it's a weird manufacturer I cannot find any info on. – Journeyman Geek Jun 28 '21 at 00:07
  • 2
    @MichaelHarvey: Somewhere in Microsoft's hardware requirements PDFs, they explicitly state that VMs will be exempt from some of the requirements (TPM one of them, and I think CPUs as well). – u1686_grawity Jun 28 '21 at 08:31
  • 1
    @MichaelHarvey - Your ability to run Windows 11 within a Virtual Machine is an irrelevant fact. Windows 11 does not required TPM 2.0 and Secure Boot if it's ran within virtualized hardware. – Ramhound Jun 28 '21 at 19:40
  • 1
    @AndrewMorton - Microsoft is due to announce the reason TPM 2.0 is required for Windows 11 this week. The chances TPM is a OEM only requirement is close to zero. The chances of them providing a (supported) way to bypass the requirement is greater than zero. – Ramhound Jun 28 '21 at 19:43
  • 1
    Even if an exhaustive list is not possible, a breakdown like this that speaks to, at least in theory, the rationale for why a device might or might not work is helpful. The OP is exactly correct in that "intel 8th gen+" is so vague (and so very "modern computing" dumbspeak) as to be unhelpful as a metric. – Yorik Jun 29 '21 at 14:04
  • @Yorik thanks :) - I (for example) have a Intel 4th gen CPU and no TPM at all. But my ASrock mainboard has the mentioned connector which is 17th PIN called `TPM2-S` and/or `TPM2-s` (with a small "s"). I've ordered one now and will see, if that works. – juwens Jun 29 '21 at 16:06