Why you need to own your Trusted Platform Module (TPM)
You might think that having your TPM security hardware be “owned” may not be a good thing. If you’re well-versed in slang, you’re excused. However, to own or “take ownership” of your computer’s TPM is actually desirable for both functionality and security.
Taking ownership of the TPM allows you to make full use of TPM capabilities and prevents any other user or software from usurping your ownership title. You are a TPM’s owner if you’re able to set the TPM owner password. Only one owner password exists per TPM, and anyone who knows that password effectively acts as the TPM owner.
So what’s the difference in functionality between a TPM which has a set owner and one which does not? Given that a TPM has an owner, what can the TPM owner do that a non-owner cannot? The first question is answered by documentation in the IsOwned method of the Vista TPM Windows Management Instrumentation (WMI) interface. This same WMI interface allows TPM owners to remotely configure a computer’s TPM. The WMI method ConvertToOwnerAuth takes as input the owner password and derives the 20-byte value that the TPM actually uses to authorize owner-restricted TPM functionality. You can then use the 20-byte owner authorization value to run WMI methods to Enable, Disable, and Clear a TPM. Of course, remotely configuring the TPM is not exactly the most interesting owner-only functionality that a TPM supports. Consult the “Owner Permission Settings” section of the Trusted Computing Group’s Structures of the TPM specification to list the TPM commands that are available only to a TPM owner.
For more information on setting a TPM owner:
For a related terminology trivia:
“Initialize” – a catch-all term to indicate all the steps that must be done to use the TPM with BitLocker or other security applications, including to turn on and take ownership of the TPM.
— Xian Ke