Differences between Titan chips?

myAinsel

I'm hoping to get some information regarding the Titan C/M chips. What are the main difference between the two of them? I know on the Pixel you can install custom signing keys, is that possible on a Chromebook as well? And how do the two of them differ from a normal TPM? I'm starting a project that night make use of them, so I'm looking for some preliminary info. I cant find much info on Google, so i figured here might know something. Thank you!

raccoondad

myAinsel 'custom signing keys, is that possible on a Chromebook as well?'

I don't believe so, but don't have a lot of information on it (correct me if im wrong internet)

TPMs function is boot signature checking, thats it. Titan chips are concerned about that alongside encryption.

Titan chips store the encryption key and only release it given the correct password is supplied to it. It has its own clock so it times itself out after a certain amount of failed attempts. It also can securely wipe these keys.

Once a key is dropped the data encrypted with it is deleted, at least by NIST standards

FlyingRacoon

raccoondad
TPM at least spec 2.0 has a lot more features than boot integrity check.

It does indeed store encryption keys/ certificates etc.
It also has an anti hammering (anti brute force) mechanism (default 32 attempts and then 1 per hour)

To be more safe you should enable preboot auth though

Afaik all three of them offer similar protection features. Just that M is specifically for Phones , C for Chromebooks and TPM is not designed for a specific OS

myAinsel

FlyingRacoon
Good to know. That widens my options a little, then. So is it more just that ChromeOS is the only player willing to do anything with those features, rather than the only one able to?

FlyingRacoon

myAinsel
What makes you assume that
If you have a Windows Machine with a TPM you can activate those features. You just need to enable preboot auth with bitlocker and TPM.
Integrity checks are default without any configuration starting from Win11 afaik

myAinsel

FlyingRacoon You're not wrong, but I was thinking in terms of Linux—I know Windows and macOS do similar things themselves. I'm more interested in trying to lay groundwork for an open source implementation of such a thing, so I wanted to know what was possible with existing hardware, until OpenTitan is available.

FlyingRacoon

myAinsel
I see your point.
Indeed Linux distorts can and many do use TPM to store keys but to different extends
here an example
https://wiki.archlinux.org/title/Trusted_Platform_Module

So it really depends on what kind of project your working on

myAinsel

FlyingRacoon Yeah, fair enough. I'll keep digging. Thank you!