Build A TPM Module For Your Server

One of the big stories surrounding the announcement of Windows 11 was that it would require support for TPM 2.0, or Trusted Platform Module, to run. This takes the form of an on-board cryptographic processor, which Microsoft claims will help against malware, but which perhaps more importantly for Redmond, can be used to enforce DRM.  Part of the standard involves a hardware module, and [Zane] has built a couple of them for ASrock server motherboards.

The chip in question is the Infineon SLB9965, which with a bit of research was found to map more or less directly to the pins of the TPM socket on the motherboard. The interesting thing here lies in the background research it gives into TPMs, and furthermore the links to other resources dealing with the topic. The chances are that most readers needing a TPM will simply buy one, but all knowledge is useful when it comes to these things.

Our weekly security roundup has been keeping an eye on the use of TPMs for a while, and has even shown us some ways that people have used to bypass the modules.

60 thoughts on “Build A TPM Module For Your Server

    1. Seems like a reasonable reason :) While I don’t appreciate that this requirement will generate a lot of ewaste in incompatible older machines, I don’t think it is an unreasonable requirement. I seems like a natural step forward, towards being able to control the authenticity of digital content, which should be a good thing – right? Or maybe there’s something I’m not seeing?

      1. Perhaps you have never done research, needing to directly sample or quote a source, which when I went to college, was free. Imagine being a poor college kid in music history class today and having to pony up for ascap, bmi, and sesac license to do your homework. Or wait 90 years for stuff to drop out of copyright. Content owners want to make borrowing music of any kind from any date something they can monetize in perpetuity. DRM is an abomination to a democratic (small d) society.

        1. Actually it’s the author’s death + 90 years, so de facto it could be a lot more. And if bastards like Di$ney lobby for an additional extension then it’ll be even more.

      2. Yes, you seem to be completely missing the fact that DRM and by extension TPM is a way for malevolent corporations to gain unprecedented control over your own private hardware. No, it’s not a natural step forward, it’s a natural step for evil-doing entities to make their own customers’ lives more miserable. Would you be happy with random corporations controlling various aspects of your home computer? Because I surely won’t.

    2. Yes, that would have made sense in the 2000s for sure, when the product activation was new.

      But nowadays, MS can be happy if users are willing to upgrade, at all. Win 2k, XP, Windows 7..
      They all had loyal users who gladly paid for an extended support.

      Windows 8-11, not so much. Since Windows 8, software-as-a-service is the new concept. Users nolonger buy an OS, they rather rent it (Office 365 etc) and have none of the rights involved with traditional ownership.

      The money at MS rather is made through advertisements, abonnements, selling server storage, collecting personal information etc.

      I’d even go so far to say that the best things that could possibly happen to MS was if users kept pirating Windows like in the old days.

      Unfortunately, for some people, like myself, a free copy of Windows 1x is still too expensive. Microsoft would have to pay people like me to actually use it. No, seriously.

      1. “Microsoft would have to pay people like me to actually use it.” +1

        My current laptop is getting creaky and will need to be replaced soon. When I buy a new machine I always buy a second HD for it. I’ll get Windows activated and set up then shut down the machine and replace the drive. The new drive gets my OS of choice installed. The original HD gets put away and will only be reinstalled if there are warranty issues with the machine.

      1. If you don’t already have a Windows 7, 8.x, 10, or 11 license then switching to Beta or Dev will not get around the activation. If it activates then it’s because it is using an already existing Windows license on the machine.

      1. 98?

        Your friend is a very very perverted masochist.

        Not Topeka perverted, not SF perverted, not even Berlin perverted.
        Redmond perverted.

        Windows 2000 was the best ‘it’ ever got IMHO.
        I’ll see myself to the blue screen dungeon.

        I also have a 98 machine, but only to play with an ancient VR helmet from time to time. Mostly booted to DOS. Likely the last VooDoo Rush card still running. If it still boots…

  1. Most motherboards these days are able to emulate TPM functionality in the UEFI firmware (fTPM), so you rarely need such LPC-bus plugin boards with a dedicated TPM chip for Windows 11 compatibility. The fTPM just needs to be enabled in the UEFI configuration menu. Since Windows 11 appeared, they have been widely enabled by default in newer UEFI updates.

    1. Isn’t it so that the CPU has a integrated tpm module that is enabled by the UEFI firmware? And if your CPU has a tpm less than version 2 a external module can be used instead?

    2. Depends on the motherboard/firmware. For instance I have a CPU that absolutely supports TPM 2.0, but my motherboard manufacturer has not (and according to their support team have no intentions of ever) released an updated firmware revision for my model (as they have with many other models) which will allow me to enable this feature in UEFI. Instead they require me to purchase a TPM module which currently runs about $80(!!!). Quite frustrated with ASUS on that one…

        1. I spent my evening removing my Gigabyte motherboard twice. It had stupid plastic trim pieces screwed on from the back that physically interfered with my “new” GPU (only $200 over MSRP!)

          I was amused to discover that the integrated wifi was just a socketed module hiding behind the IO panel, though!

    3. On Intel motherboards at least, PTT is used for TPM emulation. It’s embedded in the management engine software. No idea about AMD though, haven’t worked with AMD firmware.

    1. Only newer processors have firmware TPM emulation. Even then some of them (e.g. Zen1 and some older Intel) aren’t even supported by Windows 11.

      As for random TPM modules, I do hope they have the right pinouts, interface and connectors type to match your motherboard(s). Just out of my 3 of my motherboards, I have seen 0.1″, 2mm and some finer pitched connectors with SPI or LPC.

      As for the layout, I would trust random module over this one. The decoupling caps placement and routing is meh. It tells me that the person know nothing about high speed signal integrity.

      1. You’re right.

        I know absolutely nothing about high speed signal integrity.

        This is the second hardware PCB that I’ve ever designed just for my use cases.

        But thank you for your feedback. Will look into this topic next time when I have something that requires board design.

      2. > The decoupling caps placement and routing is meh. It tells me that the person know nothing about high speed signal integrity.

        It’s a 33 MHz bus. You could route that over artistically twisted paperclips.

          1. Routing signal traces is different than routing breakouts for decoupling caps. Signal traces are for things with 50 or 60ohms range (or 100-ish ohms for network). For decoupling, you want to be in the tenth ohms or less.

            If you don’t know the difference, well good luck.

        1. It is funny seeing people defending poor layout practice.

          It’s the edge rate you have to worry about. i.e. dv/dt I have seen ringing on a circuit that operates at 10MHz. The actual part has a measured less than 1ns rise/fall time (modern process node). That’s the part that cause ringing.

          The part that can operate at 33MHz would have to have fast enough rise/fall time much faster than its 30ns period, right?

          Those long track adds parasitic inductance to the decoupling. So you are making those 5 decoupling caps very ineffective.

      3. I just installed 11 on my 1950x PC. I was shocked to find out Microsoft says my 3 year old 16 core processor is not supported. Luckily they provide a pretty simple workaround on their support site. I still had to turn on the TPM, though.

        1. Nice, was it a matter of turning on TPM emulation in bios?

          I think Microsoft needs to be clearer about that option (AMD and Intel too of course they gain from peoples ignored in terms of extra sales!).

      4. You’re absolutely right, I have no idea about signal integrity as I’m not a hardware engineer.

        This is the second PCB I’ve ever designed and it was mainly just a challenge for me.

        Thanks for your feedback and I’ll look into that in the future.

  2. “This takes the form of an on-board cryptographic processor, which Microsoft claims will help against malware, but which perhaps more importantly for Redmond, can be used to enforce DRM.” Has any company actually done this? I’ve seen a lot of fearmongering about TPMs, but the security benefits of them are definitely real and I’m unable to find any evidence of them being misused.

    1. The order-dependent nature of TPM PCRs makes trying to do anything with them after the early boot, when order if programs running becomes non deterministic, incredibly impractical. That’s why DRM mostly hasn’t materialized.

  3. This is nice but there is still the restriction of not being on the invited CPU list to run W11. Yes I know about the workarounds but we shouldn’t have to do that. It should be a straight install without having to fix it. Back in the past hardware dictated software where coders would make magic happen in 4k-8k of memory. Then came the memory and CPU boom and with it sloppy programming and bloatware. Now the tables have turned and software is dictating hardware (ie TPM and CPU). Yeah I know security.. blah blah blah. M$ is following the pattern of 8 and Vista except the timing was wrong. A M$ official said that people were going to buy new computers anyway to run Win11. Yeah.. wait.. what ? You drop this during a world crisis and think people will run out and buy a new computer so they can bask in the glow of the Win11 experience you hype in the commercials ? Well guess M$ has done it to us again…and now W12 is in progress ? This only helps Linux/Wine and REACT O/S to keep improving to free us from this bumbling.

    1. “Well guess M$ has done it to us again…and now W12 is in progress ? This only helps Linux/Wine and REACT O/S to keep improving to free us from this bumbling.”

      Hopefully people who believe that are putting their money where their mouth is, and making it happen because wishing isn’t working.

  4. I would like if someone tried the other way around. Make it as unsecure and talkative to you as you can, to break any DRM that would try to use it and rip apart its secrets.

    1. For a basic proof of concept, it could be a fun project using something totally insecure like an Arduino – which typically has 32KiB of flash (you only need about 2-3KiB of Non-Volatile Storage (eeprom or flash). But you might need a few more, since most proper TPM modules come with factory hardcoded “EPS” (Endorsement Primary Seed) which typically can never be changed, to be cheaper to manufacture, avoids corruption as a point of failure, and it help you fully outsource all your TRUST to the factory where they were created – They would never keep a backup copy of the EPS (unless they were given a FISA court order with gagging).

      Or in fact any cheap CPU or SoC with just a few GPIO pins to implement SPI/I2C/LPC(Low Pin Count) to emulate the minimal expected responses from a TPM 2.0 module would work. RPi hardware would be overkill, but it could be done a starting point would be from 2015 where someone did a final year project project “Emulation of TPM on Raspberry Pi”

      A starting point would be the Trusted Computing Group’s TPM2 Software Stack ( – BSD-2-Clause License ).

      TPM Genie (An I2C bus interposer for discrete Trusted Platform Modules) is probably worth a look even though it was for TPM 1.2 modules.

  5. You can bypass TPM requirements, CPU and memory requirements by doing a registry hack during the win11 install.
    I recently installed win11 on a non TPM PC with an old i5 gen 3 cpu. Worked perfectly fine.

  6. YES! I thought of doing this exact thing, basically cloning the modules Asus makes, but they came back into stock before I got started on it. I really wondered why people weren’t already doing it, most likely due to chip shortages making the actual chips pretty hard to find as well.

  7. Why cant M$, Google, and Apple simply create and release “the final” os and be done with all this nonsense. For all the hype and bullshit that surrounds these glorious new releases, it just looks like the same old recycled crap with maybe some insignificant new feature, that they’ll simply deprecate in the next release. In other words, design an awesome os, tight and bug free, security holes eliminated and all that done already before they release it to consumers. When it comes to other products, consumers expect them to be perfect and fully working right out of the box. Why cant software products adhere to that same standard of expectation? Its not like we’re new at this, so that excuse is no longer valid.

  8. Genuine Windows 11 ISOs are available at GitHub bundled with modified installers that bypass TPM, Secure Boot, and compatible CPU checks. These builds function 100% normal and receive all updates from Microsoft. Microsoft’s emphasis on TPM and Secure Boot for Windows 11 makes very little sense considering the fact that the feature checks can be so easily bypassed.

    1. Then you aren’t the target. They aren’t trying to screw you. It’s actually a security thing (the tpm bit), they’ve published research showing that some tech reduced exploits by roughly 2/3 iirc.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.