(no title)

> Unfortunately, the purpose here will be to use the fact that most users use a non-free OS to turn these TPMs against the user in order to make DRM harder to break.

Stallman[1] and others[2] have talked about just this issue for over a decade now.

[1] https://www.gnu.org/philosophy/can-you-trust.en.html

[2] https://www.cl.cam.ac.uk/~rja14/tcpa-faq.html

I see the value in using a TPM to protect a disk encryption key; but also the downside of it being harder for me to recover data when the TPM fails before the disk (or if the motherboard fails and the TPM is tamper resistant and doesn't want to be moved to another board, etc). For me, data recovery is more important.

Boot time security sounds kind of useful, but I don't have time or desire to audit and sign everything I run, and Microsoft doesn't either; they have historically signed all sorts of garbage that undermines the system security, and I expect that will continue.

Just in case someone wants to know what a TPM is:

Trusted Platform Module, or TPM, is a unique hardware-based security solution that installs a cryptographic chip on the computer's motherboard, also known as a cryptoprocessor.

This chip protects sensitive data and wards off hacking attempts generated through a computer's hardware. Each TPM holds computer-generated keys for encryption, and most PC's nowadays come with TPM chips pre-soldered onto the motherboards.

I've been using laptops with TPM for a decade now. Never enabled the damn thing because if it failed, I'd be completely locked out of my computer. I'm not a CIA agent, I'm not a threat to any state, I don't even work for some big corp, why do I need that level of security?

I don't trust storing keys in the hardware. The hardware can fail and you loose everything, or the hardware can have backdoor. It's not difficult to make and memorize a strong password in the end to use it for disk encryption.

Stallman[1] and others[2] wrote about TPMs nearly 15 years ago, and the former revisited the topic in 2015.

Trusted Platform Modules can be used enforce app DRM, ensuring that only "approved" apps are able to run on a system.

That's already the reality for iPhones and iPads. We see desktops converging on this reality with systems like Apple's M1 which won't run unsigned binaries at all, and makes it difficult to nearly impossible to run apps that weren't first approved by Apple through their notarization process.

[1] https://www.gnu.org/philosophy/can-you-trust.en.html

[2] https://www.cl.cam.ac.uk/~rja14/tcpa-faq.html

A TPM is a chip on some motherboards that serves two purposes:

1. Using something not too dissimilar from blockchain/git repo hashes to attest to the the execution stack (BIOS, bootloader, kernel, userspace). 2. Providing cryptographic primitives that are only unlocked when the stack exactly matches a particular value.

It's a handy tool for avoiding spyware, as any change in the attestation chain gets immediately flagged. It is also, in principle, useful for tying DRM keys to a particular execution stack that's known to be trusted... although it's very worth noting that the TPM's threat model does not include an attacker having physical access to the hardware.

TPM used for secure boot, (hypothetically) used to block installing non-windows OS, means the owner is forced to using an OS that has telemetry.

That is the argument I suppose OP was making. The secure boot locking is hypothetical, but it is often feared. I get why, because it seems like something Microsoft would love to do.

Lol I think MOST people don't understand what TPM is/does...

If history is an indicator for anything, we’re talking about when. Not if.

No, no, don’t mistake correlation with causation. They just always come together.

Note: I have no idea what TPM even is.

Windows 11 previews do not require a TPM module, but the final Windows 11 will. Quoting from https://blogs.windows.com/windows-insider/2021/06/28/update-...:

> In support of the Windows 11 system requirements, we’ve set the bar for previewing in our Windows Insider Program to match the minimum system requirements for Windows 11, with the exception for TPM 2.0 and CPU family/model.