All Chrome devices are shipped with a Trusted Platform Module (TPM) to provide a number of hardware level security features.
What does ChromeOS use the TPM for?
The operating system that runs Chrome devices, ChromeOS, uses the TPM to:
- Prevent software and firmware version rollback
- Maintain information to detect transitions between normal and developer modes
- Protect data encryption keys
- Protect certain user RSA keys (“hardware-backed” certificates)
- Provide tamper evidence for installation attributes
- Protect stateful partition encryption keys
- Attest TPM-protected keys
- Attest device mode
No remote computer has access to the TPM.
What does ChromeOS not use the TPM for?
ChromeOS does not use the TPM for the following:
- Trusted boot (the TPM isn’t used as part of the ChromeOS verified boot solution)
- Runtime platform configuration measurement
- Whole-disk encryption; in particular, the TPM isn’t used to unwrap an encryption key during the boot process
For more details on how a TPM is used within Chrome devices, refer to this documentation: http://www.chromium.org/developers/design-documents/tpm-usage