Linux

"Please teabag the web cam to boot."

There's two types of users, those who write a detailed precise technical answer to the subject, and then there's you

You know, I've been thinking about what I want my first tattoo to be for months, you've just given me a great idea

Kernel upgrades are very... Painful.

The thing is, Windows does this out of the box. So does macOS. So do iOS and Android. When you set a PIN on Windows 11 or even add an extra password to your already TPM-encrypted hard drive, you don't even know you're getting any of this security. You don't need to! It just works!

Linux is the only system that doesn't just make this stuff work out of the box. There are some issues that prevent it from being as easy to use as on other systems (the fact that loading Linux keys into a motherboard take an extra user interaction, for example) but there are solutions to all of these problems if Linux distros were to put some work into it.

There's absolutely no reason why you should need to use the terminal to configure the TPM, you should just need to tick a box during install that makes the system use better encryption (or disable it if you use the drive in multiple computers). The reason you need to play James bond with layers of encryption and boot configurations is that standard Linux tooling had awful support for using the security hardware that every computer sold the last decade or so already contains.

I’m an engineer with trade secrets on his laptop. I’ve heard of dozens of people getting laptops stolen from their cars that they left for like ten or fifteen minutes.

The chances are slims, but if it happens I’m in deep trouble whether those secrets leak of not. I’m not taking the risk. I’m encrypting my disk.

It’s not like there’s a difference in performance nowadays.

Intel literally removed CPU-bound DRM from their recent processors because it wasn't secure. Besides, the encryption keys for DRM are safely stored deep inside the iGPU anyway. All the TPM does is store a few kilobytes of cryptographic data and record signals sent to it by the OS in a way that the OS can't alter down the line.

The TPM is literally built to be used as an encryption peripheral. You can use alternatives like Yubikeys as external TPMs for extra security of course, but that doesn't mean every desktop, laptop, and smartphone needs one.

Your smartcard has the exact same potential to become used as a means for DRM. In standard use cases it's literally meant to govern access to a computer.

Why does everybody seem to think that userspace attestation is the only use for the TPM? The primary use is for data to be encrypted at rest but decrypted at boot as long as certain flags aren't tripped. TPM is great for the security of your data if you know how to set it up.

Valve is never going to require TPM attestation to use Steam, that's just silly. Anti-cheat companies might, but my suggestion there is to just not play games that bundle malware.

I like to think that Valve knows better than to try that.

I legitimately have not booted into windows for years.