If you own the computer, you can enroll your own keys and sign any operating system you want. The UEFI vendors don't necessarily make this easy to do, nor do they support it in a consistent way, but it's there. Of course, Microsoft has no incentive to make this any easier, since their keys come preloaded on every computer.
The primary function of Secure Boot is to protect against bootkits. In a way, you're right, because for most desktop/laptop computers, a bootkit is indeed a "non-Windows operating system" that shouldn't be allowed to run. It's hard to get clear numbers on how prevalent bootkits actually are, but they're not purely theoretical. They can also be chained into compromising the UEFI and peripheral device firmware. So there's a real security threat being addressed by Secure Boot. Whether it should be required or not is really about the question of where the responsibility boundary between Microsoft and the end user lies.
> If you own the computer, you can enroll your own keys and sign any operating system you want. The UEFI vendors don't necessarily make this easy to do, nor do they support it in a consistent way, but it's there
This is not unilaterally true and there is no reason they won't try to push more locked down computers now that the base technology is accepted.
> The primary function of Secure Boot is to protect against bootkits.
Which are pure FUD when it comes to regular users. Once your computer is owned to the point where a bootkit can install itself all the user data (what actually matters) is already long gone. Secure boot isn't going to help you one bit.
"They" will absolutely push more locked down computers, indeed this has become the norm in many areas of computing already, like smartphones, tablets, and video game consoles. For that same regular user, though, this is irrelevant: they're never going to install a different operating system.
A computer once compromised by a bootkit is also e-waste. It can never be trusted again. Now, I think an argument can be made that Secure Boot as implemented on most PCs isn't enough to truly protect against bootkits, but that just leads us to even more aggressive ways of locking people out of fully controlling their own computers.
Ultimately, Microsoft (and any PC O/S vendor that might supplant them in the future) will be expected by enterprises, judges, legislators, average home users, etc. to take responsibility for exploitation of "their" systems. Computers connected to the Internet 24/7 cannot rely on end-user discretion alone, and the effectiveness of such discretion varies widely anyway.
"Services open to the Internet" is more of a 2000s problem than a modern problem. Operating systems default to being a lot less trusting of local networks today, and nearly every place you'd connect to WiFi already has a router with a "drop all unsolicited packets" policy. MITM is the big risk here, and the best way to address it is by using secure protocols (HTTPS, SSH, etc.) everywhere.
Mandatory code signing for web sites would go a long way to addressing some of the most common types of exploits we see today, and that doesn't require a TPM. I'd love to see it, but it is going to require some infrastructure and enforcement to work, and it too could become user-hostile (e.g., you can't block ads, because that would change the code).
BitLocker is not useful? Have you tried configuring LUKS with TPM? I recently got in trouble cause I tried that, dracut rewrote my initrd but missed some options (somehow when dracut is missing a module it's just a warning?!) in the setupcrypt so the damn thing wouldn't boot. Compared to the super streamlined experience with BitLocker (where the largest hassle is that you have to type your recovery key) it's a joke.
And the alternative is ZFS encryption which apparently still has data loss race condition bugs and the person submitting patches to fix those admits they have no idea why that happens.
It's not Fear, Uncertainty or Doubt. Nobody serious is saying that TPMs are a bad idea. They are saying they are not required and they are fucking correct to say it, and especially when folks are already suffering under a cost of living hike like few we've seen, plus Trump's stupid tariffs, it's horseshit to effectively hold people's security hostage to them buying an entire new fucking computer.
You can disable the requirements for these features in Windows setup with Microsoft approved group policies. They are the definition of not required. My workbench PC is a shitty old XPS from 2014 and it runs 11 just fine.
Like, would people be more secure with TPMs? Absolutely, but I've been using computers in my home since fucking 2004 that did not have these features. Surely we can let it go a little longer without throwing folks to the digital wolves for the crime of not having a few hundred around for another new goddamn gadget?
> Nobody serious is saying that TPMs are a bad idea.
I am. They by definition mean you no longer have full authority over your computer which is unacceptable. Even their name is orwellian - they are all about NOT trusting the user.
> They are the definition of not required.
They will be once support is widespread enough. And they will be used against your interests.
If they offered to support higher security on win11 with a tpm chip that'd be one thing, but they're creating a situation where you either pay them for security updates on win10 forever or be forced to upgrade hardware that is otherwise perfectly functional.
AFAICT the author isn't saying "TPM bad" but rather "wasteful disposal of millions of functional computers for no valid reason is bad"
As for Secure boot, its main goal seems to be preventing you from installing non Windows operating systems.