MS-4462 TPM

AMD processors have the TPM device imbedded into the die. This reduces the cost of having a secure system.

The problem with the approach is that a BIOS reset which comes with every update also clobbers and resets the TPM enclave in the CPU.

The old Lenovo machines have a discrete TPM device soldered to the motherboard. It is handled by the BIOS and it can be used by Windows Vista and above for security such as bitlocker.

A few years ago the BIOS for the X230 was updated over the meltdown CPU problem. At the time the machine was using Windows before it was repurposed as a web server. At present the machine is running Linux to host the site. When the BIOS update was applied the machine needed to reboot and Windows restarted fine. The X230 TPM was not in use.

Earlier on I noticed that BIOS updates clobbered bitlocker which resulted in having to supplying the key manually. No cut and paste was possible. A USB stick with the keys could be used but Windows is not designed that way.

Problems with bitlocker motivated the iPad so that keys could be opened for recovery.. Keeping the keys on OneDrive seemed like the solution to BIOS updates. Still it was a nuisance.

A redesign that allows for a BIOS update that is discrete from the TPM and secure boot would go far to eliminating problems. The redesign does not alter the cost of the machine.