As we are about to refresh our research stations I figured I should re-familiarize myself with UVic policies and any current technologies that accommodate them.
UVic requires the use of TPM on machines that store confidential or highly-confidential data. While we never store confidential data on the research machines, there is an institutional concern around the re-purposing of hardware that may not conform to the institutional standard. That standard includes built-in support for TPM (trusted platform module), which is a standard as opposed to an implementation.
According to UVic "we utilize TPM modules to implement Bitlocker whole disk encryption on all of our managed computers". My reading of this is that, if Windows is installed on the machine, it facilitates whole-disk-encryption with MS Bitlocker. I have not found any indication that TPM is used for other purposes by the university.
In order to get approval for a non-standard device we have had to make declarations about our understanding that without "a TPM chip, it can not be re-purposed to access or store Confidential or Highly Confidential data as described in the Information Security Policy - IM7800." (quote from a standard declaration requirement for non-standard purchases).
It's useful to note that in the past TPM support was only available through a dedicated header on the motherboard that allowed the inclusion of a hardware module to provide TPM support. I believe this is the reason for the inclusion of the phrase "TPM chip". Importantly, some of these hardware modules had vulnerabilites.
While IM7800 does not actually mention 'TPM' or 'trusted platform module', it does say that devices storing any 'confidential' information are required to have encrypted disks ("encryption mandatory on mobile devices and workstations, and strongly recommended in all environments.").
Of course, whole disk encryption does not require TPM but, if Windows is on the device, UVic has a standard method for rolling out Bitlocker on a new build that utilizes TPM, so fair enough. TPM support is a perfectly reasonable stance. No arguments here.
There is a slight wrinkle for us - we don't use Windows. So, when we buy hardware we are also asked to acknowledge that "because there is no OEM Windows operating system included in this purchase, ... no Microsoft software licenses included in the UVic Microsoft Campus Agreement can be used on this computer and that it can not be re-purposed with a MS campus agreement Windows license in the future as it will not qualify." (again, quoted from a standard declaration requirement for non-standard purchases). No concern for us as we don't have any intention of installing Windows on these machines.
The ultimate fate of these machines after we retire them is not really something we can predict, but it seems clear that if the device remains on-campus the recipient will not be able to use the UVic Windows image unless they buy a license. Which seems fair.
When a non-standard device goes through the purchasing pipeline it is reviewed by Systems to determine its conformance with UVic standards, including the existence of a TPM chip on the motherboard. In the past this would have made sense as the only implementation of TPM was a hardware module. However, as TPM is a standard, and not an implementation, there are now other methods for delivering full TPM 2.0 support.
Nowadays, the Microsoft stance on TPM is as follows "Windows uses any compatible TPM in the same way. Microsoft does not take a position on which way a TPM should be implemented and there is a wide ecosystem of available TPM solutions which should suit all needs.". So, Microsoft is agnostic about the implementation. Dedicated hardware modules and fTPM are considered equally secure by Microsoft.
Long story short: as long as a device has a TPM implementation that is conformant to the standard it should pass TSC review (lack of OEM Windows license notwithstanding).
Here's the point: Intel Platform Trust Technology (PTT) is an actual implementation of TPM and fully supports all of Microsoft's requirements in this regard. Per Microsoft's declaration (above) that "Windows uses any compatible TPM in the same way" it is reasonable to assume that a device with TPM support through PTT will respond identically to having a UVic standard Windows image deployed to it. That is, putting that image on a device with PTT support but no dedicated TPM chip will have an identically encrypted and safe drive. Standards are met, and expected levels of data security are achieved.
So, we need to find devices that meet a standard, not an implementation.