Skip to content
Reference

TPM classes

A device's TpmClassis what kind of trust root signed its attestation: a discrete TPM chip, a firmware TPM baked into the CPU, a cloud provider's virtual TPM, or a software emulator. Root Herald derives it from the endorsement-key certificate chain, so a device can't claim a class it isn't. Every attested device gets exactly one.

Why the class matters

The class settles two questions you'd otherwise answer vendor by vendor. First, which assurance a device earns: the real-device and oem-keyed claims follow from the hardware and firmware-tpm families, so you can require genuine silicon without naming every manufacturer. Second, whether a policy accepts it at all: the default strict-hardware policy takes the hardware and firmware-tpm groups and turns away cloud vTPMs and emulators.

The assurance column below, from High to None, tracks how isolated the key material is: a discrete chip on its own bus at the top, a user-space emulator with no hardware secret at the bottom. That is the lever behind use cases like real & secure hardware (accept hardware, reject the rest) and blocking cloud-based abuse (reject cloud-vtpm).

The full taxonomy

ClassGroupAssuranceStrict-HWDescriptionPolicy implications
hardware-discrete-infineonhardware-discreteHighDiscrete Infineon Optiga SLB / TPM 2.0 chip. Verified against the Infineon root.Default-accepted under strict-hardware. EK certs are signed by Infineon CAs that we hold in the trust-anchor manifest.
hardware-discrete-stmicrohardware-discreteHighSTMicroelectronics ST33 / ST73 family discrete TPM 2.0.Default-accepted; chain to STMicro Global TPM CA.
hardware-discrete-nuvotonhardware-discreteHighNuvoton NPCT75x / NPCT65x discrete TPM 2.0.Default-accepted; Nuvoton Global Root TPM Manufacturer CA.
hardware-discrete-otherhardware-discreteHighDiscrete TPMs from less-common vendors (e.g. SLM 9670, Atmel, Broadcom) that still chain to a TCG-listed root.Default-accepted. If you see your devices classed as 'other' you can pin the exact subclass in policy.
firmware-tpm-intel-pttfirmware-tpmHighIntel Platform Trust Technology: a TPM 2.0 implementation that runs inside the Intel Management Engine.Default-accepted under strict-hardware. It inherits the assurance limitations of the Intel ME's broader trust model: high in practice, but not identical to a discrete chip on its own bus.
firmware-tpm-amd-ftpmfirmware-tpmHighAMD firmware TPM running on the PSP (Platform Security Processor).Default-accepted; chain through AMD PSP root CA.
firmware-tpm-plutonfirmware-tpmHighMicrosoft Pluton security processor, a discrete-equivalent firmware TPM built into the CPU silicon.Default-accepted. Pluton is more isolated than PTT or fTPM, and is the highest-assurance firmware TPM on the market.
cloud-vtpm-aws-nitrocloud-vtpmMediumAWS NitroTPM: a TPM 2.0 service backed by the Nitro hypervisor and exposed to EC2 instances.Rejected by strict-hardware. Accept under cloud-permissive or cloud-cross-validated. The Nitro attestation document plus EC2 IID cross-validation defeats cuckoo replay; without those, the EK cert proves nothing about which AWS account is running the instance.
cloud-vtpm-azurecloud-vtpmMediumMicrosoft Azure trusted launch: a virtual TPM 2.0 that Hyper-V provides to Gen2 VMs from the host.Rejected by strict-hardware. Accept under cloud-permissive; cross-validate against Managed Service Identity claims for cuckoo defense.
cloud-vtpm-gcpcloud-vtpmMediumGoogle Cloud Shielded VM: a virtual TPM 2.0 backed by Titan-secured GCE hosts.Rejected by strict-hardware. Cross-validate using GCE attested instance identity tokens.
emulated-swtpmemulatedNoneIBM swtpm or the Microsoft simulator: a software TPM that runs entirely in user space. We detect it from the manufacturer string (IBM SW TPM) and the absence of a vendor-signed EK cert.Always rejected by strict-hardware. Useful for development; never accept in production. The IBM swtpm has a specific manufacturer string we detect deterministically; see /security/vtpm-detection.
mobile-android-strongboxmobile-hardwareHighAndroid Key Attestation with a StrongBox Keymaster: a separate secure element, with assurance equivalent to a discrete hardware TPM.Default-accepted; signed by Google's StrongBox attestation root.
mobile-android-teemobile-hardwareHighAndroid Key Attestation in the TEE (TrustZone). Standard on every modern Android device.Default-accepted; signed by Google's TEE attestation root.
mobile-apple-secure-enclavemobile-hardwareHighApple Secure Enclave key attestation on iOS / macOS.Default-accepted; chained to the Apple Secure Enclave root.
mobile-apple-app-attestmobile-hardwareHighApple DCAppAttestService (iOS 14+ App Attest).Default-accepted; signed by Apple App Attest root.
mobile-android-softwaremobile-softwareReducedAndroid Key Attestation falling back to a software-backed key when no TEE is present, which is extremely rare on modern devices.Rejected by strict-hardware. Useful only for warn-not-fail observability rollouts.

Using the class in policy

Use a group name (hardware, firmware-tpm, cloud-vtpm, mobile-hardware, mobile-software, emulated) to accept every vendor in it, or pin a specific class (hardware-discrete-infineon). Group names expand at evaluation time, so a policy that names the group picks up a new vendor (say hardware-discrete-microchip) automatically when we add one.

POST /api/v1/admin/policiesjson
{
  "name": "accept-secure-hardware",
  "acceptedClassGroups": ["hardware", "firmware-tpm", "mobile-hardware"],
  "acceptedSpecificClasses": ["firmware-tpm-pluton"]
}
Want a new class registered?

If you have devices being classified as unknownand you believe they have a legitimate hardware TPM, contact support with a sample EK certificate. We'll trace the issuer chain and either find the trust anchor in our existing set (and fix the classifier) or add the new vendor root.