TPM 1.2 versus TPM 2.0 - Cryptographic Support
The table of encryption algorithms below provides a summary; for a more comprehensive list of TPM algorithms, please reference the TCG Algorithm Registry. The list of mandatory algorithms for TPM 2.0 in a PC is defined in the latest PC Client Platform TPM Profile.
Algorithm Type | Algorithm Name | TPM 1.2 | TPM 2.0 |
Asymmetric | RSA 1024 | Yes | Optional |
| RSA 2048 | Yes | Yes |
| ECC P256 | No | Yes |
| ECC BN256 | No | Yes |
Symmetric | AES 128 | Optional | Yes |
| AES 256 | Optional | Optional |
Hash | SHA-1 | Yes | Yes |
| SHA-2 256 | No | Yes |
HMAC | SHA-1 | Yes | Yes |
| SHA-2 256 | No | Yes |
TPM 1.2 versus TPM 2.0 - Behavior Differences
TPM 1.2 supports a single "owner" authorization, with an RSA 2048b Endorsement Key (EK) for signing/attestation and a single RSA 2048b Storage Root Key (SRK) for encryption. This means a single user or entity ("owner") has control over both the signing/attestation and encryption functions of the TPM. In general, the SRK serves as the parent for any keys created in TPM 1.2. TPM 1.2 was specified as an opt-in device (see this TCG article for more information regarding the meaning of "opt-in" as it applies to TPM).
TPM 2.0 has the same functionality represented by the EK for signing/attestation and SRK for encryption as in 1.2, but the control is split into two different hierarchies in 2.0, the Endorsement Hierarchy (EH) and the Storage Hierarchy (SH). In addition to the EH and SH, TPM 2.0 also contains a Platform Hierarchy (PH) for maintenance functions, and a Null Hierarchy. Each hierarchy has its own unique "owner" for authorization. Because of this, TPM 2.0 supports 4 authorizations which would be analogous to the single TPM 1.2 "owner".
In TPM 2.0, the new Platform Hierarchy is intended to be used by platform manufacturers. The Storage and Endorsement hierarchies, and the Null hierarchy will be used by OS's and OS-present applications. TPM 2.0 has been specified in a way that makes discovery and management less cumbersome than 1.2. TPM 2.0 has the capability to support RSA and ECC algorithms for Endorsement Keys and SRK's.
TPM 1.2 vs. 2.0 - Supported Applications and Features:
Feature or Application | TPM 1.2 | TPM 2.0 |
DDP|ST - OTP client | Yes | No |
DDP|Encryption | Yes | No |
Intel® Trusted Execution Technology ™ | Yes | Yes |
Microsoft Bitlocker™ | Yes | Yes |
Microsoft Virtual Smart Card | Yes | Yes |
Microsoft Credential Guard™ | Yes | Yes |
Microsoft Passport™ | Yes | Yes |
TCG Measured Boot | Yes | Yes |
UEFI Secure Boot | Yes | Yes |
Microsoft Device Guard ™ | Yes | Yes |
How is Discrete TPM 2.0 different from a firmware TPM (fTPM)?
A firmware-based TPM (fTPM) is a TPM that operates using the resources and context of a multi-function/feature compute device (such as an SoC, CPU, or other similar compute environment).
A discrete TPM is implemented as an isolated, separate function/feature chip, with all necessary compute resources contained within the discrete physical chip package. A discrete TPM has full control of dedicated internal resources (such as volatile memory, non-volatile memory, and cryptographic logic), and it is the only function accessing and utilizing those resources.
Additionally, a TCG Certified discrete TPM is required to meet compliance and security requirements including hardening of the chip and its internal resources similar to smart cards. TCG compliance verifies the TPM correctly implements the TCG specifications. The hardening required by TCG certification allows a Certified discrete TPM to protect itself against more complicated physical attacks.
OS Support matrix:
OS Vendor Support
OS | TPM 1.2 | TPM 2.0 |
Windows 7 | Yes | No (1) |
Windows 8 | Yes | Yes (2) |
Windows 8.1 | Yes | Yes (2) |
Windows 10 | Yes | Yes |
RHEL | Yes | Yes (3) |
Ubuntu | Yes | Yes (3) |
- Windows 7 64bit with SP configured in UEFI + CSM boot mode can support TPM 2.0, but this has not been validated by Dell, nor is it currently supported.
- Windows 8 launched with support for TPM 2.0, but only supports SHA-1
- Requires Linux Kernel version 4.4 or newer.
Dell Commercial Platform OS Support
OS | TPM 1.2 | TPM 2.0 |
Windows 7 | Yes | No |
Windows 8 | Yes | No (4) |
Windows 8.1 | Yes | No (4) |
Windows 10 | Yes | Yes (5) |
RHEL | Yes | No |
Unbuntu | Yes | No |
4. Dell supports TPM 2.0 with Windows 8 and 8.1 on a limited number of Tablets and Detachable PC's that support Microsoft Connected Standby.
5. TPM 2.0 support available on all Commercial platforms in Spring 2016
Dell Platform Support for TPM 2.0 (Shipping as of January 2016)
Line of Business | Model | TPM 1.2 | TPM 2.0 |
Latitude | 3150 | Yes | No |
Latitude | 3160 | No | Yes (6) |
Latitude | 3350 | Yes | No |
Latitude | 3450 | Yes | No |
Latitude | 3550 | Yes | No |
Latitude | 3460 | Yes | No |
Latitude | 3560 | Yes | No |
Latitude | 3470 | Yes | Yes |
Latitude | 3570 | Yes | Yes |
Latitude | E5250 | Yes | No |
Latitude | 5250 | Yes | No |
Latitude | E5450 | Yes | No |
Latitude | E5450 | Yes | No |
Latitude | E5550 | Yes | No |
Latitude | 5550 | Yes | No |
Latitude | E5270 | Yes | Yes |
Latitude | E5470 | Yes | Yes |
Latitude | E5570 | Yes | Yes |
Latitude | E7250 | Yes | No |
Latitude | 7250 | Yes | No |
Latitude | E7450 | Yes | No |
Latitude | E7270 | Yes | Yes |
Latitude | E7470 | Yes | Yes |
Latitude | 7275 | No | Yes |
Latitude | 7370 | No | Yes |
Latitude | 11 5175 | No | Yes |
Latitude | 11 5179 | No | Yes |
Optiplex | 3040 | Yes | Yes |
Optiplex | 3240 | Yes | Yes |
Optiplex | 5040 | Yes | Yes |
Optiplex | 7040 | Yes | Yes |
Optiplex | 7240 | Yes | Yes |
Precision | 3420 | Yes | Yes |
Precision | 3620 | Yes | Yes |
Precision | 5810 | Yes | No |
Precision | 7810 | Yes | No |
Precision | 7910 | Yes | No |
Precision | R7910 | Yes | No |
Precision | 3510 | Yes | Yes |
Precision | 5510 | Yes | Yes |
Precision | 7510 | Yes | Yes |
Precision | 7710 | Yes | Yes |
Venue | 10 Pro 5056 | No | Yes |
Venue | 8 Pro 5855 | No | Yes |
XPS | 12 9250 | No | Yes |
XPS | 13 9350 | No | Yes |
XPS | 15 9550 | Yes | Yes |
6. Uses Intel PTT (Platform Trust Technology) fTPM