As a QEMU user, why would I ever allow a Windows VM to talk to a real TPM? The entire point of a VM is to isolate Windows in a predictable and secure manner. Giving it access to a unmanageable coprocessor that has been designed to undermine my own interests completely destroys this goal. Hopefully this restriction will simply be cracked in the popular Windows torrents, or better yet some real TPM keys leak for use with emulators. But more likely by the time any application specifically requires Windows 11 to run, Windows will have faded even further into irrelevance.
I don’t understand the rationale here. You don’t want real tpm exposed to a vm because of security.. but you are okay with running unknown code (cracked software) to do who knows what to your runtime environment? o_O
It's all unknown code - pirated/cracked software just adds to the number of parties.
Backdoors only really became a pressing concern due to ubiquitous Internet access. When I first setup a Windows VM and install whatever application software and updates, its Internet access is through a public VPN only. And it contains no information to tie it back to me.
Before I put any sensitive information on it, I kill its Internet access and never reenable it. So there is no way to exfiltrate data that I care about. Any produced information leaves via a local Samba share.
Leaking fixed identifying information about my hardware, or forming a side channel to a new VM instance would violate this security. I doubt the TPM would store persistent personal application data, but I don't need to be the first one to find out.
Errr they want real TPM functionality. Emulation kinda nerfs the whole point of it. It's a hardware key. If you could just emulate it what would stop you spoofing it?
Well, modules can be designed to protect my security, or to harm my security (e.g. to enforce DRM). I'm unclear on how "real TPM" functionality helps me. If it helps secure Microsoft, and hurts my security, that's a good reason to not use Windows.
I have not found good docs on what TPM exactly does in Windows 11, but people I trust tell me to distrust it, so I do.
It’s used to store BitLocker (Full Disk Encryption) keys so you don’t have to type a password for the system to boot. If you don’t use BitLocker, it’s not used for much else.
One could conclude that they are requiring TPM so they can eventually turn on BitLocker by default.
That would be unfortunate for Infineon who create the majority of TPM chips. Who’s going to be the gatekeeper who decides who can create TPM chips and what’s going to happen when a new manufacturer wants to enter the stage?