[helloooooooo]

Ask Google exactly how they enforce their zero trust, VPN-less remote work environment. Hint: it has to do with the TPM. DRTM + Device Certificates + TLS Token Binding is a huge deal for proving that the endpoint is trusted, and that the principal actually logging in is using an approved device. DRTM prevents boot time tampering by assuring that the measured boot state is consistent with what the network expects.

[osy]

Yes, when implemented correctly (I've never seen Google's implementation so I can't comment), D-RTM + Secure Boot is good. If Microsoft would give us this before shoving TPM down our throats, it would be good :) But they haven't even fixed the weaknesses they identified on their own in 2006.

[als0]

> D-RTM + Secure Boot is good. If Microsoft would give us this before shoving TPM down our throats, it would be good

D-RTM requires TPM.

[saagarjha]

None of my machines when I was at Google implemented this. The attestation was a bunch of scripts running on my computer that cobbled together the output of various things they cared to validate.