[MBCook]

I figured it’s more about ensuring the kernel and boot loading and OS are 100% unmodified by attackers/malware.

If that helps with bitlocker or passkeys or whatever that’s great. But I assume at its base it’s a pure integrity play.

I would think that would also let you know the public key stuff used to communicate with hardware authentication like a fingerprint reader is secure too, but I don’t know how that stuff works well enough to know if that’s true.

[davidczech]

TPM can measure the Secure Boot state for later reporting (attestation) but when it comes to DRM, that’s not a terribly interesting bit of information, knowing the firmware and kernel are valid, when the configuration of the OS and installed applications is really the important part.

As far as I know there’s no real scalable way for that to work in the Windows ecosystem.

[MBCook]

That makes sense to me. It just doesn’t seem that useful for DRM, seems like kind of a reach.

Especially in modern systems where the graphics card could do all of it and so the host PC never has access to the decrypted data or keys in the first place.