Hardware roots of trust — SY0-701
Understand hardware roots of trust, TPM, and chain of trust — core Security+ SY0-701 concepts anchoring platform integrity from the hardware layer up.
WHAT IT IS
A hardware root of trust is an inherently trusted combination of hardware and firmware that maintains the integrity of information. Because roots of trust are inherently trusted, they must be secure by design — they cannot rely on any lower layer to verify their own trustworthiness.
The broader category, roots of trust, encompasses highly reliable hardware, firmware, and software components that perform specific, critical security functions and serve as the starting point that is implicitly trusted within a system.
Mental model
Think of a hardware root of trust as the sealed foundation of a building. Every floor above rests on it, and you cannot audit the foundation by standing on one of the floors it supports. If you cannot trust the foundation independently, nothing built on top of it can be trusted either. That is why the hardware component must be tamper-resistant and verifiable on its own terms — before the operating system or any application loads.
A Trusted Platform Module (TPM) is a concrete example of this principle: it is a tamper-resistant integrated circuit that can perform cryptographic operations (including key generation) and protect small amounts of sensitive information, such as passwords and cryptographic keys.
When to use it
| Concept | What it is | Where trust originates |
|---|---|---|
| Hardware root of trust | Inherently trusted hardware/firmware that maintains integrity | The chip itself — no software layer above it can verify or undermine it |
| Software-based security controls | Security enforcement by the operating system or applications | Dependent on the platform being intact; can be subverted if the platform is compromised |
| Chain of trust (boot) | A technique applying transitive trust, where each module in a boot sequence measures the next before transferring control | Rooted in the hardware root of trust; extends upward through firmware and OS |
Use hardware roots of trust when you need a starting point for integrity that must be secure by design — particularly to anchor a chain of trust during system startup or to support attestation.
COMMON MISCONCEPTION
Candidates often assume that a TPM or hardware root of trust actively prevents tampering at runtime — that it blocks a compromised operating system from running. This is not what the NIST definitions describe. The hardware root of trust maintains integrity of information and provides a trustworthy foundation for cryptographic operations and measurements. Attestation — the process of providing a digital signature for a set of measurements securely stored in hardware, and then having the requester validate the signature and the set of measurements — is how integrity evidence is generated and shared. Detecting or reporting a violation is distinct from blocking one. Do not conflate "measuring and attesting to platform state" with "enforcing that only trusted software may run."
A second trap: the word "root" suggests a certificate authority or PKI hierarchy. Hardware roots of trust and PKI are distinct concepts. A hardware root of trust anchors system integrity from the hardware layer up; a certificate authority anchors identity trust within a PKI hierarchy. They can work together, but neither is a substitute for the other.
How it shows up on the exam
Questions in this area tend to test whether you can distinguish where trust originates from how trust is extended. A scenario might describe a system that boots and reports its own integrity, then ask what component makes those reports trustworthy — the answer requires recognizing that the trustworthiness of any measurement traces back to a starting point that is implicitly trusted and cannot itself be verified by software above it.
Signal phrases to watch for:
- "tamper-resistant," "secure by design," "implicitly trusted"
- "stores cryptographic keys," "performs cryptographic operations on-chip"
- "attests to platform state," "measurements stored in hardware"
- "chain of trust," "each module measures the next"
Candidates who confuse hardware roots of trust with general encryption or with software integrity checking will be drawn to incorrect answers. The distinguishing feature is always the hardware layer that must be trustworthy independent of anything running above it.
How the chain of trust extends from hardware
Each module in the boot sequence measures the next before transferring control — applying a principle of transitive trust rooted in the hardware.
Related concepts
- Public Key Infrastructure
- Symmetric Encryption
- Asymmetric Encryption
Sources
Every claim on this page traces to the public exam blueprint and official documentation: