WingNews logo WingNews
top | item 42947736

(no title)

mkopec | 1 year ago

There are none. It's so immensely frustrating to me that so many people believe that a TPM is a DRM device. I'm sure Richard Stallman's Treacherous Computing article played a big part in this.

A TPM is useless for DRM, and there are way more suited solutions like Intel's PAVP that takes an encrypted video stream and puts it on the screen directly, yet I don't see nearly as much uproar about that.

discuss

order

zinekeller|1 year ago

In a sense, graphics cards are the root-of-trust for PC-based DRMs (as they implement the necessary components such as HDCP authentication), not the TPM (which is useless for this task). In fact, PlayReady (which is Microsoft's DRM solution) does this exact thing: https://learn.microsoft.com/en-us/windows/uwp/audio-video-ca...

(...or use things such as the already-dead Intel SGX, which never touched TPMs at all)

deno|1 year ago

It goes TPM → OS Integrity (dm-/fs-verity) → Browser Attestation (Web Integrity) → Your banking website no longer working on Linux because of "security". It’s Play Integrity for the PC.

Encrypted video is a red herring. The real long game is to also get your "secure" video player to refuse playback if it detects watermark in the pirated video. This patches the analog hole.

If you have attested Windows it can just refuse to download "freeworld" VLC because it can be used for piracy and/or even watching child pornography. Imagine that!

Of course you can use Linux instead but now you have to use the approved distro that also won’t let you run "dangerous" apps.

This is of course slippery slope argument and Microsoft would not be able to force all that right now, but better get started on the foundations. Some future government can then just force them to implement the rest, but by then it will be just a flip of a switch.

"TPM is not DRM" argument seriously lacks imagination.

mkopec|1 year ago

Google SafetyNet is basically swiss cheese with lots of bypass solutions for custom ROMs.

A TPM may only attest that it has received an expected set of measurements (hashes). As long as discrete TPMs or PCs with unlocked CPUs exist (w/o Boot Guard), one may simply take a TPM and replay "golden" measurements to it. Bypassing this would be trivially easy.

A TPM does not have control over execution on the CPU. It only receives data from the CPU. If you have control over execution on the CPU from the reset vector, you can just replay whatever you want to a TPM and extract secrets that way. That's why TPM backed disk encryption without configuring a PIN is insecure.

Microsoft does not have the same level of control over the entire PC ecosystem as Google has over Android. That's why it's important to support open source alternatives.