Hi,
 
Does anyone know if the X570 FTW has a physical TPM?

I have not noticed any reference to any kind of TPM function in the manual, hardware or software based. Do they call it something else on there boards, I did come across one article saying it was on the Dark.
 
Thanks

I don’t have the x570 dark, but I have the x299 Dark as well as the X299 FTW, x299 Micro, and X299 Micro2, and all of them have built in TPM2.0. In the bios, they have an option for trusted computing that has to be turned on in the advanced options menu.

I would start by verifying if the trusted computing option is in the advanced options menu to see if it is baked onto the board rather than a separate module.

Nope, that is a totally different thing, and not what he is looking for.
 
Intel and AMD have major platform differences. Intel has "PTT" which incorporates a soft-TPM in the IME element of the motherboard. AMD does not have an IME equivalent, and relies on the AMD PSP which is an on-die Arm core with TrustZone.
This is the "AMD fTPM." The "f" in "fTPM" stands for 'firmware' but also stands for the F word you'll scream if you experience a CPU or motherboard failure. Just like Intel with IME-fused PTT, recovering the key after a failure of motherboard or CPU (either or) can be quite literally impossible. It is also up to the motherboard's BIOS to do it right, and basically, nobody does. (It's not their fault; it's Phoenix and AMI at fault there.) So a BIOS update might leave you completely locked out. Generally speaking, reference dTPM (discrete TPM) implementations are very stable and reliable.
AMD fTPM is also still badly broken in Windows 11 as the Windows AIK somehow does not have AMD's trust keys. So it often can't enroll the certificate on Windows 10 or 11, which will result in no end of problems. Plus the Intel-favoring shenanigans in 11 mean the fTPM incurs a very significant performance hit including stuttering, significant delays, reduced disk throughput, etc.
Point being, don't use AMD fTPM.
 
You should always use a discrete TPM whenever possible, because a discrete TPM provides a tamper-resistant physical module which can be physically relocated with keys intact in the event other system components fail. A dTPM can also be safely and securely replaced in the event of a compromise for a much lower cost (typically $20-40,) or physically removed and secured to protect a system when not in use. With PTT and fTPM, you have to replace entire motherboards, processors, or both.

optimadam
Woo actualrootwyrm is 100% correct and explained the problem way better than I would. We could talk about the next gen security chip (Pluton) that MS is pushing and which AMD is the first to implement, but that wouldn`t address my question and decision to buy the ftw board or not.
 
Having the header on the board is a good start, we just need to get confirmation from EVGA on the supported modules. I don`t want buy the board and do some trial and error of TPM modules to find out which ones work. Then lose all my keys x amount of time later because they updates the firmware or decided they don't like that module

You enable ftpm in bios. You don't need a module. Knowledge is all on the internet, no idea what the other guy is spouting. I know tons of people on X570, promise this is all you need to do.

random_matt
 
You enable ftpm in bios. You don't need a module. Knowledge is all on the internet, no idea what the other guy is spouting. I know tons of people on X570, promise this is all you need to do.

No, you don't. And the garbage out there isn't 'knowledge.'
 
I can guarantee you this "other guy" here has personally built more systems than EVGA has sold X570 Darks, and has been doing both OEM and ODM since before EVGA was even founded. I've probably built more systems than they've sold 3090's. And I quit doing anything but boutique in the desktop space back around '08. So everything I've shipped in the past 10+ years has required as much platform security as I can load on it. I am quite bluntly, probably more knowledgeable about platform security than EVGA's motherboard engineers. (Since they don't work with EPYC, and don't deal with PSB or Intel IME or AMT e-fuses. Frankly wish I didn't have to either.)
 
fTPM is literally a lowest common denominator, least durability solution that was thrown in to have something since they couldn't trust ODMs to do the right thing, and Intel does it in the must-buy IME side. Nowhere in any of AMD's official documentation or guidance for ODMs or OEMs will you find a single recommendation to use fTPM over dTPM, or even to use fTPM at all. In fact, AMD themselves recommend against using fTPM and using a dTPM specifically because of , a necessary reliance on the motherboard manufacturer to implement it correctly in BIOS (which includes maintaining the VBIOS element,) and Microsoft introducing problems constantly.
(No idea why the forum nuked the links.)

actualrootwyrm

random_matt
 
You enable ftpm in bios. You don't need a module. Knowledge is all on the internet, no idea what the other guy is spouting. I know tons of people on X570, promise this is all you need to do.

No, you don't. And the garbage out there isn't 'knowledge.'
 
I can guarantee you this "other guy" here has personally built more systems than EVGA has sold X570 Darks, and has been doing both OEM and ODM since before EVGA was even founded. I've probably built more systems than they've sold 3090's. And I quit doing anything but boutique in the desktop space back around '08. So everything I've shipped in the past 10+ years has required as much platform security as I can load on it. I am quite bluntly, probably more knowledgeable about platform security than EVGA's motherboard engineers. (Since they don't work with EPYC, and don't deal with PSB or Intel IME or AMT e-fuses. Frankly wish I didn't have to either.)
 
fTPM is literally a lowest common denominator, least durability solution that was thrown in to have something since they couldn't trust ODMs to do the right thing, and Intel does it in the must-buy IME side. Nowhere in any of AMD's official documentation or guidance for ODMs or OEMs will you find a single recommendation to use fTPM over dTPM, or even to use fTPM at all. In fact, AMD themselves recommend against using fTPM and using a dTPM specifically because of , a necessary reliance on the motherboard manufacturer to implement it correctly in BIOS (which includes maintaining the VBIOS element,) and Microsoft introducing problems constantly.
(No idea why the forum nuked the links.)

just add a space or two to the link
 
workaround is found here   Ultimate Self-Starter Thread For New Members
 
Thanks for the detailed information

actualrootwyrm your awesome, look forward to find out the results.

I love how the community has been 1000% more helpful the EVGA.

actualrootwyrm

optimadam
Hi,
 
Does anyone know if the X570 FTW has a physical TPM?

I have not noticed any reference to any kind of TPM function in the manual, hardware or software based. Do they call it something else on there boards, I did come across one article saying it was on the Dark.
 
Thanks

 
JC2 on both the X570 Dark and FTW is a 20-pin TPM header. On the FTW it's located next to the front panel connector.
I never got a response from support on the pin-out or supported modules though. I don't even know if it's LPC or SPI.

For what it's worth, I asked our team and they informed me that this header is for diagnostic purposes only, and not a physical TPM header.  However, that was my first impression when I saw the board.

actualrootwyrm
That's definitely a headscratcher then, because they're probably the same team that said it was a TPM header! (I actually asked them back when the X570 Dark was announced.) I know it's not marked at all on the silkscreen - which you all did an awesome job on, by the way. But the details I got from multiple folks was that there was definitely a TPM header, but not which, and there was no officially supported module at this time. 
 
The LPC TPM should be 13 or 14 conductors (1 or 2 GND) and will be be connected directly to the SuperIO to LPC pins. I don't have the pinout for the one that EVGA is using, but on Winbond it's usually pins 18 through 30 or some similar contiguous block. There should be one pin tied to PCI clock or a 33MHz source, a 24MHz or 48MHz source tied to both the SuperIO and connector, and then the rest are basically data lines. There's too many pins for JC2 to be JTAG (that's the connector above it. Don't tell anyone.)
The other option would be SPI which would require a +1.8V, a 24MHz or 33MHz isolated clock (SPI CLK or SCLK,) 2 data lines, an interrupt, a reset, and a chip select line usually implemented via GPIO on the SuperIO but may be implemented as a specific interface.
 
If they have an SPI TPM, that changes the game entirely. Because those, I have an absolute stack of both Infineon and Nuvoton.
Also, then I have no idea where the promised TPM header is. 
... unless it's SPI located north of PCIe SW. Which I had assumed was strictly the SPI lines for the BIOS. Because, well, duh.
 
Maybe the two of us should get with the engineers off the record and see what's what. Because the relevant DXE's definitely in the BIOS already, and JC2 is definitely pin-aligned to a Certain Competitor's LPC TPM Module. So my potentially flawed assumption was that they just carried that forward; it's certainly the smart and effective way.
 
edit: hey Lee, grab a Dark, flip it over. Inch or so toward the power side from the PCIe4x slot, between that and the battery, near the unpopulated JM3. Do you see what I see? I'm going to be upset if those are correct and wired to JM3. Mostly because I need to get a card in that slot. Also because the header's unpopulated. Oh, and also because none of them are actually labeled.  

Double-checked with engineering.  It's a debug header.

EVGATech_LeeM
Double-checked with engineering.  It's a debug header.

Clearly they think they're dealing with amateur hour or an idiot, and not somebody who might have more AMI licensing than they do, because they told you a straight up lie.
 
JC2 is in fact, wired direct to the Winbond's LPC interface. JEC1 immediately above is either JTAG or SPI. And even if it is for LPC debug, the absolute minimum acceptable would be to provide the complete pinout. Keyed 20 is NOT a standard LPC connector or used by literally anything except two common LPC dTPM modules. Even ElmorLabs and OBT's LPC card uses 10 pins. And guess what? Yeah, LPC debug is done from the dTPM header!
You don't populate the NXP's SPI header, but you leave another 25 pins fully populated for "debug only"? Look. I've been around decades. Nobody wastes that kind of money.
Oh, and I already confirmed that the ground pins align with the 20-1 pin Asus / Gigabyte LPC TPM2.0 pinout. Which eliminates all other possibilities including JTAG. So yeah - I'm 100% certain they're lying. 

 
So I'm just going to start calling engineering out on these lies. I honestly have to question if it wasn't deliberate sabotage to stay in Intel's good graces. There's literally no way EVGA did not know that fTPM is specifically advised against, that it has had security vulnerabilities in the past, that it has multiple outstanding known defects, and that TPM would be required for Windows 11. AMD won't even let you have AGESA access without you first acknowledging all of that. 
These are super-premium priced motherboards. This level of either laziness or deliberate crippling just isn't acceptable, especially when it simply isn't found on boards that cost half as much.
That goes triple for a board that is explicitly built for extreme overclocking and board-level modifications. You can't give users a Probelt, explicit permission to hook up DMMs and oscilloscopes, guarantees that replacing TIM won't void warranty, and then not provide detailed pinouts for every header you install. Doubly so when you give them detailed information on EVGA's hysteresis programming, 10+ pages of Nu Audio, and a completely unheard of 17 pages on how to set up RAID. $1000+ quad socket boards with dual U320 controllers didn't even have that many pages on RAID!
Tacking on three more pages of pinout diagrams, not even remotely too much to ask on a $500 motherboard, much less a $700 "world record" one.
 
So now I gotta be all nitpicky and cranky at engineering (not at you, Lee. I know you're just the messenger.)

• Hey look, the RGB controller (NXP LPC15U68) says "Z590 MCU" even though the SPI for it (JM3) is right there. Couldn't even be bothered to do literally a one line update!
• The DXE required for dTPM is not only present, but fully loaded, and attached! Gee, why would you do that when that's not the fTPM DXE. And it's not a chain load. And wasting significant space in the BIOS, that's not best practices. Or even normal practices.
• But hey at least they - oh, they didn't do the fTPM correctly, which certainly isn't going to help the stuttering issue. Now the DXE makes sense. Honestly I'm amazed it's even functional. No, engineering, I don't have better docs from AMD than you do on it. But I do have multiple working boards that report very differently.
• ImageDevicePath(..6F4C-4C6B-B9D1-92DAA7199A84)) LoadedImage(AmiRedFishApi) ... just ... <sigh> are you even using it? I think we all know the answer is no when you're using a CSEL for the BIOS.
• PS/2 DH at 14D? Uh, that should probably be immediately before PciBus when you're bypassing clock related problems with the other interfaces. (Unless you need PciBus to strap the SuperIO. I haven't worked with the one you're using.)
• Why oh why did you attach the "Z590 MCU" direct to the USB3.0 instead of the 2.0 hub? I will agree there could be a valid reason, but darned if I could see one. Way too late now obviously. But it would have helped the USB failures under extreme overclocks.
• Did nobody review SMBIOS? "BIOS ROM is socketed" (okay, the SPI header, so I might give you a pass on that one.) ECF major and minor 255, no pass on that one. Not reading processor serial. Stack of structures missing a type definition. Full credit for at least trying to label slots correctly, but WHY IS THERE AN RTL8111EPV LISTED? If there actually is an 8111EPV on the X570 Dark, then we got a real problem.

I don't like being cranky and throwing people under the bus, because BIOS development is hard as hell. But if they're just gonna keep pushing the "debug" lie, then they've got absolutely no excuses for not achieving absolute perfection with not one single mistake. They've got more "debug" headers than an AMD Lilac.
Or they could just say "sorry, we don't have any officially tested or validated dTPMs at this time. Here are the pinouts we erroneously left out of the manuals, and we will fix the TPM selection in the next BIOS update. But we make no guarantees as to support of non-validated TPM modules."
 
I should not have to call the engineering department out on the floor to get functionality on par with a $150 motherboard, and no amount of excuses about 'but overclocking' is going to change that fact. Especially not when boards that can directly compete on overclocking cost literally half as much with an arguably better feature set.

actualrootwyrm

EVGATech_LeeM
Double-checked with engineering.  It's a debug header.

Clearly they think they're dealing with amateur hour or an idiot, and not somebody who might have more AMI licensing than they do, because they told you a straight up lie.
 
JC2 is in fact, wired direct to the Winbond's LPC interface. JEC1 immediately above is either JTAG or SPI. And even if it is for LPC debug, the absolute minimum acceptable would be to provide the complete pinout. Keyed 20 is NOT a standard LPC connector or used by literally anything except two common LPC dTPM modules. Even ElmorLabs and OBT's LPC card uses 10 pins. And guess what? Yeah, LPC debug is done from the dTPM header!
You don't populate the NXP's SPI header, but you leave another 25 pins fully populated for "debug only"? Look. I've been around decades. Nobody wastes that kind of money.
Oh, and I already confirmed that the ground pins align with the 20-1 pin Asus / Gigabyte LPC TPM2.0 pinout. Which eliminates all other possibilities including JTAG. So yeah - I'm 100% certain they're lying. 

 
So I'm just going to start calling engineering out on these lies. I honestly have to question if it wasn't deliberate sabotage to stay in Intel's good graces. There's literally no way EVGA did not know that fTPM is specifically advised against, that it has had security vulnerabilities in the past, that it has multiple outstanding known defects, and that TPM would be required for Windows 11. AMD won't even let you have AGESA access without you first acknowledging all of that. 
These are super-premium priced motherboards. This level of either laziness or deliberate crippling just isn't acceptable, especially when it simply isn't found on boards that cost half as much.
That goes triple for a board that is explicitly built for extreme overclocking and board-level modifications. You can't give users a Probelt, explicit permission to hook up DMMs and oscilloscopes, guarantees that replacing TIM won't void warranty, and then not provide detailed pinouts for every header you install. Doubly so when you give them detailed information on EVGA's hysteresis programming, 10+ pages of Nu Audio, and a completely unheard of 17 pages on how to set up RAID. $1000+ quad socket boards with dual U320 controllers didn't even have that many pages on RAID!
Tacking on three more pages of pinout diagrams, not even remotely too much to ask on a $500 motherboard, much less a $700 "world record" one.
 
So now I gotta be all nitpicky and cranky at engineering (not at you, Lee. I know you're just the messenger.)

• Hey look, the RGB controller (NXP LPC15U68) says "Z590 MCU" even though the SPI for it (JM3) is right there. Couldn't even be bothered to do literally a one line update!
• The DXE required for dTPM is not only present, but fully loaded, and attached! Gee, why would you do that when that's not the fTPM DXE. And it's not a chain load. And wasting significant space in the BIOS, that's not best practices. Or even normal practices.
• But hey at least they - oh, they didn't do the fTPM correctly, which certainly isn't going to help the stuttering issue. Now the DXE makes sense. Honestly I'm amazed it's even functional. No, engineering, I don't have better docs from AMD than you do on it. But I do have multiple working boards that report very differently.
• ImageDevicePath(..6F4C-4C6B-B9D1-92DAA7199A84)) LoadedImage(AmiRedFishApi) ... just ... <sigh> are you even using it? I think we all know the answer is no when you're using a CSEL for the BIOS.
• PS/2 DH at 14D? Uh, that should probably be immediately before PciBus when you're bypassing clock related problems with the other interfaces. (Unless you need PciBus to strap the SuperIO. I haven't worked with the one you're using.)
• Why oh why did you attach the "Z590 MCU" direct to the USB3.0 instead of the 2.0 hub? I will agree there could be a valid reason, but darned if I could see one. Way too late now obviously. But it would have helped the USB failures under extreme overclocks.
• Did nobody review SMBIOS? "BIOS ROM is socketed" (okay, the SPI header, so I might give you a pass on that one.) ECF major and minor 255, no pass on that one. Not reading processor serial. Stack of structures missing a type definition. Full credit for at least trying to label slots correctly, but WHY IS THERE AN RTL8111EPV LISTED? If there actually is an 8111EPV on the X570 Dark, then we got a real problem.

I don't like being cranky and throwing people under the bus, because BIOS development is hard as hell. But if they're just gonna keep pushing the "debug" lie, then they've got absolutely no excuses for not achieving absolute perfection with not one single mistake. They've got more "debug" headers than an AMD Lilac.
Or they could just say "sorry, we don't have any officially tested or validated dTPMs at this time. Here are the pinouts we erroneously left out of the manuals, and we will fix the TPM selection in the next BIOS update. But we make no guarantees as to support of non-validated TPM modules."
 
I should not have to call the engineering department out on the floor to get functionality on par with a $150 motherboard, and no amount of excuses about 'but overclocking' is going to change that fact. Especially not when boards that can directly compete on overclocking cost literally half as much with an arguably better feature set.

 
wait wait wait, so my x570 ftw 500 dollar evga board has no tpm header????i shouldve double checked since it doesnt have a usb front header either
bunch of nonsense