The Trusted Platform Module

What is the Trusted Platform Module?

The Trusted Platform Module is a hardware device that can very quickly encrypt data on request. It can also be used to generate streams of random numbers, the kind that are random enough to be used for cryptography rather than the ‘pseudo-random’ numbers that can be generated using just software. Encryption and decryption are very important these days where browsing the Internet can feel more like being a footsoldier in an electronic war.

How the Trusted Platform Module can go wrong

I was recently working on a Lenovo laptop that was running extremely slowly, and after looking at the system event log realised that a problem with the Trusted Platform Module was generating a large number of error messages. In fact there were so many errors that recording them all was the main reason that the system was running so sluggishly. Almost all of the error messages said:

‘The initialization of the Trusted Platform Module (TPM) failed. The TPM may be in failure mode. To allow diagnosis, contact the TPM manufacturer with the attached information.’

In this case the Trusted Platform Module was manufactured by Intel. However, despite the advice in the message, I didn‘t even consider contacting them. I used to work for Intel many years ago and had a pretty good idea that asking them for help would be a waste of time, and in any case suspected that it was more likely to be a Microsoft problem. Obviously contacting Microsoft wouldn’t get me anywhere either, so it was the usual case of sorting out the problem myself.

Resetting the Trusted Platform Module

If the Trusted Platform Module chip had physically failed, there would not have been anything we could have done about it other than fit a replacement. However, it was not very likely that the Trusted Platform Module was really broken. What had probably happened was that the Trusted Platform Module chip was alright, but had fallen into ‘failure mode’ and therefore needed to be reset. The only practical thing to do was go through the reset procedure and see if it worked.

Having said that, resetting the Trusted Platform Module was not without its risks. If the laptop contained any data that had been encrypted by the Trusted Platform Module, it would be impossible to decrypt such data if the Trusted Platform Module was reset, because the resetting process would involve throwing away the current encryption / decryption keys. The solution to this potential problem was to back up all the user data first. Thankfully there were not many user files, so the backup did not take very long.

After replying ‘get on with it’ to numerous dire warnings when asking to reset the Trusted Platform Module chip, and biting my nails while the process took place, the user data were all still readable. This is because the information was stored as plain text rather than being encrypted. However, it would probably have been a very different story if any of the user data had been protected using software such as ‘Bitlocker’ and the keys had been lost.

After letting the system run for quite a while, I checked the event log and the constant stream of Trusted Platform Module errors had thankfully stopped. The computer was running much faster than previously and the problem seemed to be solved. Like many Windows problems, you wouldn’t have much clue as to what was going on if it weren’t for the event logger. Having said that, many entries in the event logs are of little interest and Windows can still run if you ignore them.

You might be thinking that it would’ve been simpler to just stop the event logging process, but that that could’ve masked all kinds of other errors, and for some reason several parts of Windows won’t work properly unless the event logger is running. I once disabled the event logger as part of an experiment, and the Wi-Fi stopped working for some reason. Many areas of Windows are poorly documented and exhibit what might politely be called ‘unexpected’ behaviour.