This blog was written by Thomas Cantwell and Johan Rahardjo
Introduction – Dell PowerEdge 13G servers now have multiple options for TPM (Trusted Platform Module - http://www.trustedcomputinggroup.org/resources/trusted_platform_module_tpm_summary ). This means you must carefully consider your overall TPM usage model, as well as your current and future operating system choices to ensure you make the right choice – both in the near-term and for the future.
Available TPM Plug In Module options for Dell PowerEdge 13G platforms –
Dell worked closely with OS vendors to be first-to-market with TPM 2.0, enabling customers to configure their systems to be future-ready. Dell TPM 1.2 and 2.0 solutions are one of the few TPM solutions that are enhanced by full certification with FIPS 140-2, TCG, and Common Criteria to meet strict US federal government security requirements.
Which should you choose?
TPM 1.2 – TPM 1.2 is the legacy TPM chip that first shipped on Dell PowerEdge 11G servers. It is fully supported on the following operating systems. (Note: TPM 1.2 only supports Secure Hash Algorithm 1 [SHA1]):
Windows Vista/Server 2008
Windows 7/Server 2008R2
Windows 8/Server 2012
Windows 8.1/Server 2012R2
VMWare ESXi hypervisor has supported TPM since 4.x, and from 5.0, it is enabled by default.
For Linux operating systems, please contact your OS vendor for more information on TPM 1.2 support.
TPM 2.0 - is the most current implementation of TPM to purchase if you want to future-proof your Dell 13G PowerEdge servers. There are new usage models, and future OS versions, such as Windows Server 2016, that will leverage TPM 2.0. TPM 2.0 supports SHA1, but more importantly, newer/stronger cryptography standards with the addition of SHA256.
TPM 2.0 (China) – if you want to implement TPM 2.0 in China, you must use this version of the TPM specifically qualified and supported for China. It is only available in China and you cannot use a ROW (Rest-Of-World) TPM 2.0 in China.
Key decision criteria –
TPM 1.2 and 2.0 are not considered to be compatible with each other. There are too many changes/enhancements/improvements to TPM 2.0. Choose carefully, based on your infrastructure needs.
TPM 2.0 differences - http://www.trustedcomputinggroup.org/resources/protect_your_data_and_enhance_security
See section 8, pp. 22 - http://www.trustedcomputinggroup.org/files/static_page_files/C2122862-1A4B-B294-D0289FD15408693D/TPM%20Rev%202.0%20Part%201%20-%20Architecture%2001.07-2014-03-13.pdf
For Windows Operating systems, using TPM 2.0 requires UEFI mode to be fully compatible. For other operating system vendors, contact them for more information on any requirements they have for proper use of TPM 2.0.
TPM 1.2 is supported in many current operating systems, and enjoys broader support in currently shipping operating systems.
Dell strongly suggests that any TPM purchased today should be TPM 2.0 to ensure support for new TPM usage models. If TPM 1.2 is preferred, be aware that this locks you into an older, less secure technology.
TPM 2.0 is supported in the following OS -
Microsoft Windows 2012R2 and later.
For latest info visit the OS support page: http://www.dell.com/support/contents/us/en/04/article/Product-Support/Self-support-Knowledgebase/enterprise-resource-center/server-operating-system-support
Important information –
The TPM modules in 13G servers and later are a separate module that is installable/removable (with the exception of the Dell PowerEdge R930, where the module is soldered on the systemboard), but the module itself, once enabled on a specific system, is now locked to the system it was enabled on and cannot be moved to any other system. This physical and cryptographic binding ensures the platform integrity cannot be breached or data simply moved to another platform along with the TPM.