[LooseMarmoset]

"The OS configuration and state (i.e. /etc/ and /var/) must be encrypted, and authenticated before they are used. The encryption key should be bound to the TPM device; i.e system data should be locked to a security concept belonging to the system, not the user."

See Android; or, where you no longer own your device, and if the company decides, you no longer own your data or access to it.

[ahepp]

https://0pointer.net/blog/authenticated-boot-and-disk-encryp...

Yes, system data should be locked to the system with a TPM. That way your system can refuse to boot if it's been modified to steal your user secrets.

[blueflow]

... and it will also refuse to boot if it has been modified by the user.

Preventing this was the reason we had free software in the first place.

[ahepp]

Increasing security for the system owner will necessarily decrease the ability of others to modify the system in ways the owner doesn't like.

[blueflow]

With "owner" not being the legal owner, but Microsoft.

[microthief]

And if Linux$oft suddenly decides every user's system needs a backdoor or that every system mus automatically phone home with your entire browsing data, then, well, too bad, so sad of course!

Jesus.

[ahepp]

Unless you're one of the 0.00000000001% of humans using a farm-to-table laptop with coreboot, what's stopping that from happening today?

[0dayz]

How exactly would this happen.

[mariusor]

I mentioned it somewhere else in the thread, and btw, I'm not affiliated with the company, this is just my charitable interpretation of their intentions: this is not for requiring _every_ consumer linux device to have attestation, but for specific devices that are needed for niche purposes to have a method to use an open OS stack while being capable of attestation.