TPM classes
A device's TpmClassis what kind of trust root signed its attestation: a discrete TPM chip, a firmware TPM baked into the CPU, a cloud provider's virtual TPM, or a software emulator. Root Herald derives it from the endorsement-key certificate chain, so a device can't claim a class it isn't. Every attested device gets exactly one.
Why the class matters
The class settles two questions you'd otherwise answer vendor by vendor. First, which assurance a device earns: the real-device and oem-keyed claims follow from the hardware and firmware-tpm families, so you can require genuine silicon without naming every manufacturer. Second, whether a policy accepts it at all: the default strict-hardware policy takes the hardware and firmware-tpm groups and turns away cloud vTPMs and emulators.
The assurance column below, from High to None, tracks how isolated the key material is: a discrete chip on its own bus at the top, a user-space emulator with no hardware secret at the bottom. That is the lever behind use cases like real & secure hardware (accept hardware, reject the rest) and blocking cloud-based abuse (reject cloud-vtpm).
The full taxonomy
| Class | Group | Assurance | Strict-HW | Description | Policy implications |
|---|---|---|---|---|---|
| hardware-discrete-infineon | hardware-discrete | High | ✓ | Discrete Infineon Optiga SLB / TPM 2.0 chip. Verified against the Infineon root. | Default-accepted under strict-hardware. EK certs are signed by Infineon CAs that we hold in the trust-anchor manifest. |
| hardware-discrete-stmicro | hardware-discrete | High | ✓ | STMicroelectronics ST33 / ST73 family discrete TPM 2.0. | Default-accepted; chain to STMicro Global TPM CA. |
| hardware-discrete-nuvoton | hardware-discrete | High | ✓ | Nuvoton NPCT75x / NPCT65x discrete TPM 2.0. | Default-accepted; Nuvoton Global Root TPM Manufacturer CA. |
| hardware-discrete-other | hardware-discrete | High | ✓ | Discrete TPMs from less-common vendors (e.g. SLM 9670, Atmel, Broadcom) that still chain to a TCG-listed root. | Default-accepted. If you see your devices classed as 'other' you can pin the exact subclass in policy. |
| firmware-tpm-intel-ptt | firmware-tpm | High | ✓ | Intel Platform Trust Technology: a TPM 2.0 implementation that runs inside the Intel Management Engine. | Default-accepted under strict-hardware. It inherits the assurance limitations of the Intel ME's broader trust model: high in practice, but not identical to a discrete chip on its own bus. |
| firmware-tpm-amd-ftpm | firmware-tpm | High | ✓ | AMD firmware TPM running on the PSP (Platform Security Processor). | Default-accepted; chain through AMD PSP root CA. |
| firmware-tpm-pluton | firmware-tpm | High | ✓ | Microsoft Pluton security processor, a discrete-equivalent firmware TPM built into the CPU silicon. | Default-accepted. Pluton is more isolated than PTT or fTPM, and is the highest-assurance firmware TPM on the market. |
| cloud-vtpm-aws-nitro | cloud-vtpm | Medium | — | AWS NitroTPM: a TPM 2.0 service backed by the Nitro hypervisor and exposed to EC2 instances. | Rejected by strict-hardware. Accept under cloud-permissive or cloud-cross-validated. The Nitro attestation document plus EC2 IID cross-validation defeats cuckoo replay; without those, the EK cert proves nothing about which AWS account is running the instance. |
| cloud-vtpm-azure | cloud-vtpm | Medium | — | Microsoft Azure trusted launch: a virtual TPM 2.0 that Hyper-V provides to Gen2 VMs from the host. | Rejected by strict-hardware. Accept under cloud-permissive; cross-validate against Managed Service Identity claims for cuckoo defense. |
| cloud-vtpm-gcp | cloud-vtpm | Medium | — | Google Cloud Shielded VM: a virtual TPM 2.0 backed by Titan-secured GCE hosts. | Rejected by strict-hardware. Cross-validate using GCE attested instance identity tokens. |
| emulated-swtpm | emulated | None | — | IBM swtpm or the Microsoft simulator: a software TPM that runs entirely in user space. We detect it from the manufacturer string (IBM SW TPM) and the absence of a vendor-signed EK cert. | Always rejected by strict-hardware. Useful for development; never accept in production. The IBM swtpm has a specific manufacturer string we detect deterministically; see /security/vtpm-detection. |
| mobile-android-strongbox | mobile-hardware | High | ✓ | Android Key Attestation with a StrongBox Keymaster: a separate secure element, with assurance equivalent to a discrete hardware TPM. | Default-accepted; signed by Google's StrongBox attestation root. |
| mobile-android-tee | mobile-hardware | High | ✓ | Android Key Attestation in the TEE (TrustZone). Standard on every modern Android device. | Default-accepted; signed by Google's TEE attestation root. |
| mobile-apple-secure-enclave | mobile-hardware | High | ✓ | Apple Secure Enclave key attestation on iOS / macOS. | Default-accepted; chained to the Apple Secure Enclave root. |
| mobile-apple-app-attest | mobile-hardware | High | ✓ | Apple DCAppAttestService (iOS 14+ App Attest). | Default-accepted; signed by Apple App Attest root. |
| mobile-android-software | mobile-software | Reduced | — | Android Key Attestation falling back to a software-backed key when no TEE is present, which is extremely rare on modern devices. | Rejected by strict-hardware. Useful only for warn-not-fail observability rollouts. |
Using the class in policy
Use a group name (hardware, firmware-tpm, cloud-vtpm, mobile-hardware, mobile-software, emulated) to accept every vendor in it, or pin a specific class (hardware-discrete-infineon). Group names expand at evaluation time, so a policy that names the group picks up a new vendor (say hardware-discrete-microchip) automatically when we add one.
{
"name": "accept-secure-hardware",
"acceptedClassGroups": ["hardware", "firmware-tpm", "mobile-hardware"],
"acceptedSpecificClasses": ["firmware-tpm-pluton"]
}If you have devices being classified as unknownand you believe they have a legitimate hardware TPM, contact support with a sample EK certificate. We'll trace the issuer chain and either find the trust anchor in our existing set (and fix the classifier) or add the new vendor root.