TPM & FIPS 140-2: What You Need to Know

TL;DR

While a Trusted Platform Module (TPM) chip isn’t *always* strictly required for FIPS 140-2 Level 1 compliance, it’s the most common and easiest way to achieve it. You can meet the requirements without one, but it significantly increases complexity. This guide explains what you need to consider.

Understanding FIPS 140-2 Level 1

FIPS 140-2 is a US government standard that specifies security requirements for cryptographic modules. Level 1 is the lowest level of certification, focusing on basic physical security and tamper evidence. It’s often required by organisations handling sensitive data.

Does FIPS 140-2 *require* a TPM?

No, it doesn’t explicitly mandate a TPM chip. However, the standard outlines requirements for things like:

• Cryptographic Module Specification: Defining how crypto functions are implemented.
• Module Interfaces: How users interact with the crypto module.
• Roles, Services and Authentication: Controlling access to crypto operations.
• Physical Security: Protecting against tampering.

A TPM simplifies meeting these requirements by providing a hardware-backed root of trust for key storage and cryptographic operations.

How a TPM Helps with FIPS 140-2 Level 1

1. Secure Key Storage: TPMs store keys securely, preventing them from being easily accessed or copied.
2. Hardware Root of Trust: The TPM provides a trusted foundation for verifying the integrity of the system boot process and software components.
3. Attestation: A TPM can provide verifiable proof that the system is in a known good state.

Using a FIPS 140-2 validated TPM module makes achieving compliance much easier because it pre-certifies many of the underlying security components.

Meeting FIPS 140-2 Level 1 *Without* a TPM

It’s possible, but harder. You’ll need to demonstrate equivalent security controls through software and system design. This typically involves:

1. Secure Boot: Implement a secure boot process that verifies the integrity of all loaded components (BIOS/UEFI, bootloader, OS kernel).
2. Key Management System (KMS): Use a robust KMS with strong access controls and auditing.
3. Tamper Detection: Implement mechanisms to detect physical tampering with the system. This could involve intrusion detection systems or hardware sensors.
4. Cryptographic Module Validation: Ensure any cryptographic libraries you use are FIPS 140-2 validated (e.g., OpenSSL). You’ll need to configure them correctly for FIPS mode. For example, in OpenSSL:

   openssl engine -t fips init

5. Detailed Documentation: Extensive documentation is crucial to demonstrate compliance to auditors.

Checking TPM Status (Linux)

You can check if a TPM is present and enabled on Linux using the tpm2_tools package:

sudo tpm2_getcap properties-fixed | grep 'TPM2_CAPS'

If this command returns output including `TPM2_CAPS`, a TPM is likely present. If not, you may need to enable it in the BIOS/UEFI settings.

Checking TPM Status (Windows)

1. Press Win + R and type tpm.msc then press Enter.
2. The TPM Management console will open, showing the TPM status.

Conclusion

While not strictly required, a TPM chip significantly simplifies achieving FIPS 140-2 Level 1 compliance. If you don’t use a TPM, be prepared for more complex configuration and extensive documentation to prove equivalent security controls.