Secure/Good TPM-manufacturer

I’m planning to build a new Computer with QubesOS, i got the MSI Z790-P to flash dasharo. Lately i thought of the missing parts, there the TPM came up. I’ve already read a lot and it seems that there are better and worse manufacturers. Does anyone have experience which to buy or are rather in the better spectrum? (Yes, i know that it’s not officially supported yet)


Would you not need to buy an MSI module for an MSI motherboard?

Why can’t you use the standard TPM, do you have any special need for an external module?

What i’ve read is that they deactivated the fTPM in the Linux-Kernel, because it was so buggy. Does it not apply to Qubes?

I have the same question but it is against my religion to buy a new machine. I want to move to Sequoia pgp with TPM support. If they have a forum it would the place to ask.
In my opinion things from a hardware prospective are getting worse. Before y2k about 1 in 65 motherboards could be used for my purpose, now I have the same odds as winning the lottery.

I think that was only the AMD fTPM, firmware based TPM.

Intel uses PTT, Platform Trust Technology, as their CPU integrated TPM, if you have an 8th gen or newer CPU you shouldn’t need to buy an external module.

If you still wanted to buy a module you can, the Z790-P does have a TPM header. I think you need a module designed to be used by the MSI motherboard, like the ones sold by MSI.

So there shouldn’t any security issues if stick to the integrated one? Does it still work even after flipping the HAP-bit?

I believe TPM works with HAP enabled, I’ve not had issues with Linux using Secure Boot and having HAP enabled.

Mokutil says Secure Boot is active, and that keys are enrolled.