Impending Doom

[Rocket2DMn]

From: https://docs.microsoft.com/en-us/win...iences/oem-tpm

Generating, storing, and limiting [the use of cryptographic keys]. Limiting may be a problem when the chip has "multiple physical security mechanisms to make it tamper resistant."

I mean... I may be wrong here, but it says to me, if they want to block Linux, they can. And there will be no work-around.

Effectively restricting OSes has to be done by the system integrator, e.g., by using Secure Boot to verify a boot stage's SW signature against a read-only set of known hashes. An OS on its own cannot change this - it doesn't get loaded until AFTER secure boot verifies it. If it could retroactively change Secure Boot's set of known hashes, then Secure Boot would be worthless. TPM is not Secure Boot.

The article states, "Starting with Windows 10, the operating system automatically initializes and takes ownership of the TPM." Here, initialization happens at OS boot time, and ownership means that the OS manages access to the hardware component (as is the typical responsibility of an OS). More generally, memory/registers that are not read-only (i.e., written only once by the HW designer or system integrator, e.g., a stage-0 bootloader) and is accessible by the CPU is configurable by whatever OS is running (having been initialized by the earlier bootloader). This is a simplification, but sufficient for now .

Furthermore, "TPMs are passive: they receive commands and return responses." It's basically an area to do secure computation. It should probably not be storing data between boots (that screams security violation to me, which is entirely antithetical do TPM's purpose).

[1fallen]

Effectively restricting OSes has to be done by the system integrator, e.g., by using Secure Boot to verify a boot stage's SW signature against a read-only set of known hashes. An OS on its own cannot change this - it doesn't get loaded until AFTER secure boot verifies it. If it could retroactively change Secure Boot's set of known hashes, then Secure Boot would be worthless. TPM is not Secure Boot.

The article states, "Starting with Windows 10, the operating system automatically initializes and takes ownership of the TPM." Here, initialization happens at OS boot time, and ownership means that the OS manages access to the hardware component (as is the typical responsibility of an OS). More generally, memory/registers that are not read-only (i.e., written only once by the HW designer or system integrator, e.g., a stage-0 bootloader) and is accessible by the CPU is configurable by whatever OS is running (having been initialized by the earlier bootloader). This is a simplification, but sufficient for now .

Furthermore, "TPMs are passive: they receive commands and return responses." It's basically an area to do secure computation. It should probably not be storing data between boots (that screams security violation to me, which is entirely antithetical do TPM's purpose).

In a nut shell, Well said, outside of spell errors.

[Shibblet]

Do you mean like how Google Chromebooks are all locked to only run ChromeOS? Chromebooks have TPM and encryption. Yet, people figured out how to modify the hardware to put any non-ChromeOS OS onto most of those machines. There are a few that are so locked down, they cannot run anything else.

Exactly. I own one. Asus C425. There are ways to "trick" the computer into running Linux, but it seems more trouble than it's worth.

Will this mean that computers that come with Windows 11 pre-installed, will not be allowed to run Linux, because the TPM 2.0 is "limiting" the crypto-keys?
I do understand the concept of usage as well. Why buy a Microsoft Surface if you don't want to run Windows? And, again, I am aware that there are ways to "trick" the Surface into running Linux.
But if you have to "trick" your computer into doing it, that will eliminate many possible users... myself included.

I made a point of finding out if my computer will run Linux. Thankfully, they advertise Ubuntu. And, yes, it's got a TPM 2.0.
(https://store.minisforum.com/products/hx90)

A majority of Linux (in general, not just Ubuntu/Flavors) users are not installing on new computers. Which the TPM 2.0 module will not be a problem.
Everyone eventually wants to upgrade though...

[Shibblet]

Effectively restricting OSes has to be done by the system integrator, e.g., by using Secure Boot to verify a boot stage's SW signature against a read-only set of known hashes. An OS on its own cannot change this - it doesn't get loaded until AFTER secure boot verifies it. If it could retroactively change Secure Boot's set of known hashes, then Secure Boot would be worthless. TPM is not Secure Boot.

Gotcha. This was my concern.

The article states, "Starting with Windows 10, the operating system automatically initializes and takes ownership of the TPM." Here, initialization happens at OS boot time, and ownership means that the OS manages access to the hardware component (as is the typical responsibility of an OS). More generally, memory/registers that are not read-only (i.e., written only once by the HW designer or system integrator, e.g., a stage-0 bootloader) and is accessible by the CPU is configurable by whatever OS is running (having been initialized by the earlier bootloader). This is a simplification, but sufficient for now .

Again, thank you for the clarification.

Furthermore, "TPMs are passive: they receive commands and return responses." It's basically an area to do secure computation. It should probably not be storing data between boots (that screams security violation to me, which is entirely antithetical do TPM's purpose).

And I think that's the problem. There are a lot of articles out there about what a TPM does, but not enough explaining what it's purpose is.

[forrestcupp]

Good point. Do you think companies like System76, Slimbook, and Tuxedo Computers will have the option to disable/remove the TPM 2.0 on their motherboards? Will the MoBo manufacturers even offer it?

Looks like System76 will give users the option of turning it off. But it is still there. https://tech-docs.system76.com/model...tup-specs.html

System76 now has TPM 2.0 Chips on their motherboards... and essentially it is completely unnecessary for a Linux based PC. Does this mean that Microsoft has essentially forced Hardware Manufacturers to require this TPM 2.0 Chip? Essentially making them Hardware dictators?

I know I'm going to have the unpopular opinion here. But if you can get Linux working with TPM 2.0, in my opinion it would be silly to intentionally buy a computer that doesn't have it, even if it's unnecessary for Linux.

My own testimony is a good example. I was sold on Linux. I exclusively used Linux, and I had no intention of ever going back to Windows. But I ended up finding myself in a situation where I needed to use a few specialized programs that would not work with Wine, or any other way in Linux. So I was forced to use Windows. So at first, I tried out dual-booting. But it was just too much of a hassle to boot back and forth when I was perfectly capable of doing everything I needed to do in Windows. So I ended up gravitating away from Linux. Even today, I still like Linux better as an OS. I love that you can customize it as much as your heart desires. But alas, here I am typing from Windows.

My point is, you never know when you'll have to go back to Windows, or at least dual-boot, even if you think you never will.

[TheFu]

That's why we use virtual machines and don't dual/triple/quad boot. There are 7 running on this system now. I hardly notice it. Most are very, very, low use VMs that take almost zero CPU.

TPM is a standard. Linux supports it. That's all we need to know.

I'm fairly certain that I won't be using Windows 8+ on my systems ever. If a company wants me to use Windows, then they can provide the hardware and licenses. The same for a cell phone.

[Shibblet]

My point is, you never know when you'll have to go back to Windows, or at least dual-boot, even if you think you never will.

I know the feeling.

Things would actually be "easier" for me if I decided to use Windows. Currently, I use a VM for Windows 7 when I need to run my Adobe Software. I bought a copy of Adobe CS6 many years ago. (BTW, Adobe really hasn't added much to their software suite since then.) I have been a graphic artist for over 25 years. I like the software that's available for Linux OS's such as Gimp and InkScape... However, all of my old files and graphics were made in Adobe, so transitioning everything would be too much of a chore.

I also have a couple of utility programs for some hardware, that only works in Windows... fortunately, VirtualBox and Windows 7 work great.

When I say things would be easier... What I mean is that I wouldn't have to open VirtualBox. All of my apps would run right in the OS. No re-booting, no extra loading times, etc. Hardware acceleration works without fussing, wouldn't have to worry so much about hardware compatibility, games in my Steam library just work, etc. etc. etc.

The problem is, when choosing to use Windows, you have to choose to give up certain amounts of privacy. The OS is tracking your data at all times, even if you go through the trouble of attempting to disable it. You can disable a lot of telemetry, but ultimately, you can't disable it all. Nvidia users... beware, your Windows drivers have telemetry built in by default.

Windows also has horrendous memory management, and eats up WAY more resources than a KDE Desktop does. And this is because it's loading apps into memory like MS Teams, Cortana, and a bunch of background applications that you may not want, or even use.

Unfortunately, there is no "middle ground." You can't have Windows without the junk and telemetry, and you can't have Linux with flawless Windows software compatibility.

This is where most of my troubles with this TMP 2.0 issue come from. Windows just keeps pushing ahead with features that no one asked for, or even wants. They are taking your personal and usage data, and unfortunately, you have to choose to accept this, or not. And to make an operating system, that actually requires a hardware replacement, for a "security" module, just seems like more of the same from Microsoft.

[Tadaen_Sylvermane]

I never thought I'd live long enough to see the day a computer was viewed as totally disposable. When I grew up they were just becoming a thing. You didn't buy a new one, you fixed it. Now they get replaced without a thought.

A couple years ago I found a machine on the side of the road. They had tossed it because of a clicking sound. I replaced the fan in the power supply and put in an ssd. Mom's parents have been using it daily for the last 3-4 years now. Pops love his solitaire. Kpat makes him happy.

Everything is disposable and Microsoft is just helping that right along and screwing us over in the process. The american way?

[grahammechanical]

If you want to do something for the rest of your life and still be no wiser, then here is the location of the TPM 2.0 specification.

https://trustedcomputinggroup.org/re...specification/

Regards and happy reading! Let us know if you find anything sneaky.

[Shibblet]

Regards and happy reading! Let us know if you find anything sneaky.

You never find "sneaky" in the tech documents of how something works. You find "sneaky" when people learn how to exploit said technology, especially within the confines of the specs.

"The unleashed power of the atom has changed everything save our modes of thinking and we thus drift toward unparalleled catastrophe." - Albert Einstein