How is firmware TPM different from the discreet one?
What really is the difference between a physical TPM and any implementation of a fTPM?
I get that both adhere to the same specification and in my mind should be the same thing, but then, I don't understand why there even are 5 or so different types of TPM - discrete, integrated, firmware, virtual, and, well, software, though here the distinction is a little bit more clear - having used one, it really is more like a simulator.
The advantage of a hardware device makes sense in theory -> the EK is literally etched in stone, so as the presence of a EK is required by specification I suppose fTPM just have the key saved somewhere.
Can the claim, that "a physical TPM offers most security" be backed up?
Let's imagine I put 100% trust in a system with a discrete TPM and in this hypothetical world such system is 100% secure. Do I have any reason to trust iTPM/fTPM/vTPM any less and is their purpose by definition the same?
It is very hard to quantify security and justify trust. Before you read on: think about what you want to protect against whom. Make a risk analysis. I have heard mainly two justifications why physical Firmware TPM is more secure.
1) Separation/Isolation Generally, the better two systems are isolated, the harder it is to spread compromisation. For example, you can hardly attack network #2 from network #1 if they are not physically connected. If they were connected via a firewall, it might be possible, but still hard. The least secure option would be no separation at all.
The same applies to the isolation of the host machine and its TPM. A user-space TPM simulator would hardly be isolated at all and the least secure option. A fTPM is isolated much better, but it's still running on the same chip. A hardware TPM is much more isolated and therefore presumably better protected against software attacks from host malware. Of course there is a whole variety of hardware attacks which is not affected by this isolation. Again, think about your assets and risks.
2) Certification Physical TPMs are usually certified. That alone is not a guarantee for security. However, it ensures that certain requirements are met verifiably. Therefore it is evidence at least some level of security.
In particular, the Common Criteria Evaluation takes hardware security against e.g. timing, glitching and side-channel attacks into account. Currently, there are only physical TPMs which are Common Criteria evaluated (see here under Trusted Computing).