[michaelt]

The TPM is a great thing, from Microsoft's perspective.

Because Microsoft have the Secure Boot code signing keys. And none of their users expect a "free software philosophy" that lets them use their own modified kernel, or DKMS to build new copies of kernel modules on demand - so you don't have to make users jump through any "machine owner key" hoops.

And a lot of your customers are big corporations who barely trust their own employees - and inexperienced users for whom forgotten passwords and suchlike are a big problem.

With the TPM, that corporation's shared PC at the reception desk can have an encrypted disk without all the receptionists needing to know the password, only their own passwords.

With the TPM you can remotely force a reboot to install updates, and the computer will fully boot afterwards - not get stuck at a disk encryption prompt. Ideal if your corporate work-from-home policy is for employees to remote desktop on a PC under their desk.

With the TPM, the PC can boot, unlock the disk and join wifi before any passwords have been entered - so a corporation's employees only need to remember their windows password, and if they forget it, helpdesk can reset it remotely. It's great for the user too, who doesn't lose their non-backed-up data.

With the TPM you can have a short, weak passcode to unlock your PC, without worrying about brute force attacks. That's great if you want a cell-phone-style experience - or if you find long passwords an inconvenience, rather than a badge of honour.

With the TPM a corporation can give a laptop to a service engineer, who'd really like to install some games to play when he's stuck in a hotel over night for a service call, and who has unsupervised physical access - secure in the knowledge it's very difficult for them to install unapproved software.

For a corporation that wants hardware-bound keys, the TPM is superior to things like Yubikeys, precisely because of its inflexibility. Why give people a second factor that keeps working when they move PCs and that's compatible with different platforms, if you never want them to move PCs or change platforms without going through you?

It just so happens that the majority of these only benefit large corporations and forgetful users, while most Linux users are quite happy remembering long unique disk encryption passwords thanks very much.

[dingnuts]

> while most Linux users are quite happy remembering long unique disk encryption passwords thanks very much.

Which brings something up: how do you get back in if you suffer a traumatic brain injury or something like that? I feel like a lot of software assumes the operator can do things like remember unique passwords for a long time.

Sure, I can do that NOW, but will I still be able to in my seventies?

[michaelt]

Well, you could write down your password and give it to a trusted friend, a lawyer, or whatever so people can get into your documents if the worst should ever happen.

Personally I choose not to do that. My girlfriend sent those nude photos to me, not to my heirs or the executor of my estate. It's impossible to "get back in" without the password, and that's how it's meant to be. Of course if you've got no sexy photos, and lots of treasured photos of your family growing up, you might feel differently!

[p_ing]

> TPM is superior to things like Yubikeys, precisely because of its inflexibility

TPM also offers PIN or Password options. It is flexible.

[michaelt]

Yubikeys offer PINs and passwords, a physical user presence button, finger print sensors, NFC, and you can use one key on different PCs, you can deal with PC hardware failures by moving the key and deal with key failures with a backup key, and and it's compatible with Windows, Linux, OS X, Android and iPhone.

So they're a heck of a lot more flexible.

But in a corporate environment, you might not give a shit about Linux support, and you might think it's better if the user can't unplug the key and plug it into another PC, because corporate workers should only connect to corporate systems with their corporate-issued laptops, and corporate helpdesk will sort out any hardware problems.