Hacker News new | ask | show | jobs
by alex7734 919 days ago
BS why?

Can a TPM not be used to remotely attest that you are running an unmodified OS and a TPM device that has been approved by the DRM implementer, before handing you an encryption key that never touches the disk?

Can you not restrict the list of approved OS to those that do not allow root/kernel access to the user?

Can you not restrict the list of approved TPMs to those that cannot be "easily" compromised? (i.e. only allow TPMs in the same die as the CPU)

Just because it's not used today does not mean it won't be used tomorrow. Microsoft has not completely pushed this through yet because they know that half of their userbase are pirates. But they are making preparatory steps for it, such as blocking systems without TPM or older CPUs out of Windows 11.

Just look at Android to see what it will look like in a few years.
1 comments
frankjr 919 days ago
I have a Linux box set up with secure boot. I manage my own keys, I sign my UKI kernels. I use TPM2 for disk encryption in addition to requiring password. Where does DRM come into this? Where does Microsoft? I use neither. So no, secure boot and TPMs are not "designed for DRM and not to protect you, the user". The fact that some garbage companies have figured out how to use some of these features to harm consumers is another matter but so can millions of other things. Choose the companies you work with well, garbage gonna garbage.
link
alex7734 919 days ago
Like I said, just take a look at Android. If you don't have an approved ROM you cannot use banking apps. Or Netflix. Or play most gacha games.

Riot Games's anti-cheat for Valorant will already not let you play if you don't have a TPM and Secure Boot enabled, and I'm pretty sure you need to have factory (Microsoft) keys for it to work.

Google has recently backtracked on their WEI API proposal which would give websites access to TPM remote attestation, but it will be back once people cool off. Once it's released you can count on every website with ads (like YouTube) to slap it on just to ensure you don't block them.

The list of things you cannot do on your Linux box will just keep increasing over time.

link