[zauguin]

> or, even better, to prevent the HSM from being used by anything without my overt permission

Can't you already do that with an existing TPM? You just set an owner authentication password and an endorsement authentication password and no application can use it anymore unless you provide the password.

Technically it would still be possible to use it as a very slow cryptographic coprocessor I guess, but that benign and useless. It does still provide access to some platform measurements, but they can't be signed by a authenticated (or even safely stored) key, so they are easy to fake.

In addition to that the OS of course can be used to completely block access to it if needed.

The problem is not that people can't stop applications from using it, it is just that in practice people don't care.

[vladvasiliu]

> Can't you already do that with an existing TPM? You just set an owner authentication password and an endorsement authentication password and no application can use it anymore unless you provide the password.

How would one go about doing that?

[zauguin]

On Linux with tpm2-tools installed you can run

To set the owner password (mainly for Storage) ``` tpm2_changeauth -c owner file:- ```

To set the endorsement password (e.g. to verify that the TPM is authentic): ``` tpm2_changeauth -c endorsement file:- ```

To set the lockout password (to recover the system without requiring a full reset): ``` tpm2_changeauth -c endorsement file:- ```

[nicce]

If you can do that, doesn't that mean that you won't be able to even boot Windows after that?

[zauguin]

Potentially. Last I tried to boot Windows was a Windows 10 which could deal with this, it just disabled some functionalities relying in the TPM (aka. Windows Hello(?)). It might be that Windows 11 will not like it that much.

Then again, if you want to control what runs on your system, you probably don't run Windows in the first place.

Also if you want to stop Windows from booting, it's much more reliable to change the Secure Boot keys (and of course not adding the Microsoft keys afterwards). Then your system is guaranteed Windows free.