[accrual]

I knew several of the acronyms in the article but some were new to me. Here are some references in case anyone is in the same boat.

TPM: Trusted Platform Module (TPM, also known as ISO/IEC 11889) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. [0]

PCR: A Platform Configuration Register (PCR) is a memory location in the TPM that has some unique properties. The size of the value that can be stored in a PCR is determined by the size of a digest generated by an associated hashing algorithm. [1]

LPC: The Low Pin Count bus, or LPC bus, is a computer bus used on IBM-compatible personal computers to connect low-bandwidth devices to the CPU, such as the boot ROM, "legacy" I/O devices (integrated into a super I/O chip), and Trusted Platform Module (TPM). [2]

VMK: Volume Master Key. The FVEK and/or TWEAK keys are encrypted using another key, namely the Volume Master Key (VMK). Several copies of the VMK are also stored in the metadata. Each copy of the VMK is encrypted using another key, also know as key-protector key. [3]

[0] https://en.wikipedia.org/wiki/Trusted_Platform_Module

[1] https://docs.microsoft.com/en-us/windows/security/informatio...

[2] https://online.tugraz.at/tug_online/voe_main2.getvolltext?pC...

[3] https://www.forensicswiki.org/wiki/BitLocker_Disk_Encryption

[josteink]

> TPM: Trusted Platform Module (TPM, also known as ISO/IEC 11889) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. [0]

Introduced around the time of Windows Vista by Hollywood to provide unbreakable HW drm throughout the OS.

I’ve never once enabled this malicious, user-hostile hardware.

[segfaultbuserr]

Security modules are prone to abuses by various interest groups, but by themselves, they are never inherently evil or even desirable if it has an open standard, and is under the control of a user.

TPM and trusted computering is an interesting case, it was originally planned to be the foundation of an unbreakable DRM system, however, this didn't go according to the plan. To this day, the most harmful result was Secure Boot and Boot Guard, but the TPMs are never used in any significant DRM systems. Today it's genuinely a security tool under user's control.

For example, see my explanation of how TPM-backed verified boot can help ensuring integrity of BIOS and bootloader.

https://news.ycombinator.com/item?id=18034227

Quote Richard Stallman,

As of 2015, treacherous computing has been implemented for PCs in the form of the “Trusted Platform Module”; however, for practical reasons, the TPM has proved a total failure for the goal of providing a platform for remote attestation to verify Digital Restrictions Management. Thus, companies implement DRM using other methods. At present, “Trusted Platform Modules” are not being used for DRM at all, and there are reasons to think that it will not be feasible to use them for DRM. Ironically, this means that the only current uses of the “Trusted Platform Modules” are the innocent secondary uses—for instance, to verify that no one has surreptitiously changed the system in a computer.

Therefore, we conclude that the “Trusted Platform Modules” available for PCs are not dangerous, and there is no reason not to include one in a computer or support it in system software.

https://www.gnu.org/philosophy/can-you-trust.html

[userbinator]

Today it's genuinely a security tool under user's control.

Anything that has hardcoded nearly-impossible-to-extract keys which you don't know, is not under your control.