this post was submitted on 01 Aug 2023
573 points (98.5% liked)

Linux

48074 readers
1355 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
top 50 comments
sorted by: hot top controversial new old
[–] rastilin@kbin.social 292 points 1 year ago (39 children)

TPM is basically never for your benefit. It's becoming a requirement because Microsoft is going to one day say "you can only run apps installed from the Windows Store, because everything else is insecure" and lock down the software market. Valve knows this which is why they're going so hard on the Steam Deck and Linux.

[–] skullgiver@popplesburger.hilciferous.nl 152 points 1 year ago (8 children)

You're going to need a TPM or some other security key if you want to come close to the security Bitlocker's and Apple's T2 chip provide. TPM+password encryption is the norm on any serious attempts at data protection, for good reason.

It's already quite hard to get decent encryption on most Linux distros, with GRUB lacking support for modern key derivation techniques for full disk encryption, and several distros still relying on unencrypted boot partitions that anyone can modify the initrd of without any trace.

Secure boot can protect all of these steps without TPM encryption if you bother to set up your own keys, kick out Microsoft's keys (killing any chance of a successful dual boot), and set up automatic signing of your bootloader and every intermediate step, but that's more than any common Linux user is willing to go through. For Secure Boot to work well you'll probably also want some kind of verification that the system didn't just modify its environment and chainloaded the Linux bootloader and TPMs are the only way to do that on many systems.

"TPM bad" is as bad a take as "Linux bad". The technology isn't inherently good or bad, and both good and bad actors can use it to their advantage, just like the Linux kernel is used in portable hacking devices and in firewalls alike. You can make a problem out of the signed firmware and backdoors and such, but unless you're running a Pentium II or a RISC-V chip that probably runs at the same speeds, you're stuck with some kind of binary blob of microcode and firmware on any computer anyway; TPMs don't add or remove anything from that.

[–] socsa@lemmy.ml 105 points 1 year ago (5 children)

This is why I keep my initrd tattooed as a barcode on my testicles.

[–] evatronic@lemm.ee 51 points 1 year ago

"Please teabag the web cam to boot."

[–] Wats0ns@sh.itjust.works 19 points 1 year ago

There's two types of users, those who write a detailed precise technical answer to the subject, and then there's you

[–] zalgotext@sh.itjust.works 14 points 1 year ago

You know, I've been thinking about what I want my first tattoo to be for months, you've just given me a great idea

[–] JuxtaposedJaguar@lemmy.ml 11 points 1 year ago

Kernel upgrades are very... Painful.

[–] Ghast@lemmy.ml 47 points 1 year ago (11 children)

I don't know why I keep hearing of security measures to stop someone sleuthing into bootloaders.

Am I the only person using Linux who isn't James Bond?

The thing is, Windows does this out of the box. So does macOS. So do iOS and Android. When you set a PIN on Windows 11 or even add an extra password to your already TPM-encrypted hard drive, you don't even know you're getting any of this security. You don't need to! It just works!

Linux is the only system that doesn't just make this stuff work out of the box. There are some issues that prevent it from being as easy to use as on other systems (the fact that loading Linux keys into a motherboard take an extra user interaction, for example) but there are solutions to all of these problems if Linux distros were to put some work into it.

There's absolutely no reason why you should need to use the terminal to configure the TPM, you should just need to tick a box during install that makes the system use better encryption (or disable it if you use the drive in multiple computers). The reason you need to play James bond with layers of encryption and boot configurations is that standard Linux tooling had awful support for using the security hardware that every computer sold the last decade or so already contains.

[–] hansl@lemmy.ml 8 points 1 year ago (2 children)

I’m an engineer with trade secrets on his laptop. I’ve heard of dozens of people getting laptops stolen from their cars that they left for like ten or fifteen minutes.

The chances are slims, but if it happens I’m in deep trouble whether those secrets leak of not. I’m not taking the risk. I’m encrypting my disk.

It’s not like there’s a difference in performance nowadays.

load more comments (2 replies)
load more comments (9 replies)
[–] interdimensionalmeme@lemmy.ml 21 points 1 year ago (1 children)

TPM bad, put your secrets on a proper encryption peripheral, like a smartcard running javacardOS

TPM will turn into cpu-bound DRM, the more you use it, the more this cancer will grow

[–] skullgiver@popplesburger.hilciferous.nl 24 points 1 year ago (4 children)

Intel literally removed CPU-bound DRM from their recent processors because it wasn't secure. Besides, the encryption keys for DRM are safely stored deep inside the iGPU anyway. All the TPM does is store a few kilobytes of cryptographic data and record signals sent to it by the OS in a way that the OS can't alter down the line.

The TPM is literally built to be used as an encryption peripheral. You can use alternatives like Yubikeys as external TPMs for extra security of course, but that doesn't mean every desktop, laptop, and smartphone needs one.

Your smartcard has the exact same potential to become used as a means for DRM. In standard use cases it's literally meant to govern access to a computer.

load more comments (4 replies)
load more comments (5 replies)
[–] dingus@lemmy.ml 23 points 1 year ago (1 children)

https://hothardware.com/news/steam-deck-tpm-support-install-windows-11

I mean I generally agree with you, but the SteamDeck runs on an AMD processor with a fTPM that Valve slowly added support for.

[–] floofloof@lemmy.ca 23 points 1 year ago* (last edited 1 year ago) (8 children)

It seems unlikely Valve will ever make Windows the primary OS for their devices. And they'd lose a lot of user support if they ever required the TPM for their own software, so hopefully they wouldn't risk it.

[–] bear@slrpnk.net 30 points 1 year ago* (last edited 1 year ago) (2 children)

Why does everybody seem to think that userspace attestation is the only use for the TPM? The primary use is for data to be encrypted at rest but decrypted at boot as long as certain flags aren't tripped. TPM is great for the security of your data if you know how to set it up.

Valve is never going to require TPM attestation to use Steam, that's just silly. Anti-cheat companies might, but my suggestion there is to just not play games that bundle malware.

load more comments (2 replies)
[–] ipkpjersi@lemmy.ml 13 points 1 year ago

I like to think that Valve knows better than to try that.

load more comments (6 replies)
[–] SkyNTP@lemmy.ml 21 points 1 year ago (1 children)

Support for old software is now the only reason to use windows.

[–] Bipta@kbin.social 43 points 1 year ago (9 children)

I'm a big fan of Linux, but I can't believe you really think this.

[–] socsa@lemmy.ml 18 points 1 year ago

I legitimately have not booted into windows for years.

load more comments (8 replies)
[–] nan@lemmy.blahaj.zone 17 points 1 year ago (19 children)

We use the TPM pretty extensively with no Windows in the environment.

load more comments (19 replies)
load more comments (35 replies)
[–] glibg10b@lemmy.ml 121 points 1 year ago (2 children)
[–] floofloof@lemmy.ca 51 points 1 year ago (1 children)

Whoops. Thanks. I corrected the URL in the post.

[–] GenderNeutralBro@lemmy.sdf.org 25 points 1 year ago

The wonders of modern technology!

load more comments (1 replies)
[–] interdimensionalmeme@lemmy.ml 82 points 1 year ago (7 children)

I always just kill my TPM chip. It's so obvious tpm will be used in the future for application offline DRM. They will executed encrypted operations under the TPM veil and decompilers will become unusable.

load more comments (7 replies)
[–] Anticorp@lemmy.ml 61 points 1 year ago (1 children)

I love how Torvalds always calls it like he sees it.

[–] ken27238@lemmy.ml 25 points 1 year ago (1 children)

insert nvidia middle finger gif here

[–] chris@l.roofo.cc 30 points 1 year ago (1 children)
load more comments (1 replies)
[–] shapis@lemmy.ml 51 points 1 year ago (2 children)

Would love this. I'm still getting the ftpm stutters and there's no way to disable it in my motherboards bios.

[–] ipkpjersi@lemmy.ml 14 points 1 year ago* (last edited 1 year ago) (3 children)

Wow I'm surprised you can't disable it. I can disable it on my desktop BIOS (Gigabyte X570S Pro AX) and my work laptop BIOS (Dell G15 I think like 5515).

load more comments (3 replies)
load more comments (1 replies)
[–] ryannathans@lemmy.fmhy.net 46 points 1 year ago

Based linus. Kill it, it's pointless

[–] FunkyMonkey@feddit.de 37 points 1 year ago (2 children)

I've had a weird system-wide stutter for months and the usual googling and troubleshooting didn't help.. omg. This might be it. Thank you Linus and thank you op.

[–] floofloof@lemmy.ca 15 points 1 year ago* (last edited 1 year ago) (3 children)

I had it on my Windows 11 PC for a long time. I use this PC for music production and it was infuriating - the sound would just cut out intermittently like the computer couldn't keep up. I tried lots of things, including an expensive CPU upgrade. In the end Asus released a new BIOS for the motherboard to address this AMD stutter, and that fixed it.

load more comments (3 replies)
load more comments (1 replies)
[–] RoundSparrow@lemmy.ml 25 points 1 year ago

the module can cause intermittent stuttering, depending on which Ryzen processor you're using. It appeared when the fTPM was in use, it would access its flash storage via a serial interface, and when doing so, held up activity by the rest of the system.

[–] argv_minus_one@beehaw.org 14 points 1 year ago (3 children)

"Maybe use it for the boot-time 'gather entropy from different sources,' but clearly it should not be used at runtime."

Good idea. Ask it during boot/insmod for some hardware-random bits to seed Linux's usual software-only CSPRNG, then just use that.

And even that might not be a great idea. I wouldn't be surprised if the fTPM RNG is subtly not-entirely-random, at some alphabet agency's behest. I remember there being a controversy over rdrand for this reason…

load more comments (3 replies)
[–] drwho@beehaw.org 11 points 1 year ago

Yup. I've been wondering if that was the thing that's made the v6.4 kernels so unstable on Ryzen machines.

load more comments
view more: next ›