[m0nastic]

I've worked implementing both, and Bromium is basically as good of a solution to this problem as you're going to get, in the sense that it requires the least modification of user behavior (the user's Windows machine mostly behaves like a normal one).

Even Bromium was pretty upfront about the use case for their product though (high-value targets like executives who travel to China). They were very honest about it being overkill for an entire enterprise.

I think securing endpoints is basically a lost cause though (I'm happy to consider that a minority opinion however). My company spent many years trying to get TPM's to be the solution to this problem, and I'm pretty sure that ship has now sailed; with the only 2 sectors of the industry that are continuing to grow being completely unsuited to TPMs (virtualization and mobile).

I think we'll eventually realize that much like networks, devices have to assumed to be untrustworthy, and we have to route accordingly.

[walterbell]

> the only 2 sectors of the industry that are continuing to grow being completely unsuited to TPMs (virtualization and mobile)

A counterpoint is that mobile platforms often have some form of secure enclave, but sadly not standardized. Even AMD's low cost x86 CPUs are adding an ARM coprocessor, which could in theory be used for functionality similar to TPM, DRM, or AMT. Some of those are more useful than others. On the Intel side, SGX will add more enclave options, and complexity, but hopefully will be open and well documented.

[m0nastic]

I take issue with "often", as the vast majority of mobile phones don't have anything (even if there exist specific models which could have them).

There was a brief window in time when you had to go out of your way to buy an Intel laptop "without" a TPM (even Macs had them for a time, even if Apple never made use of them). The Trusted Computing Group failed to capitalize on that timeframe by providing both a "reason" and decent solutions to that problem.

There's a lot of reasons why that was, if I've been drinking I'd happily go into many of them.

On the mobile side, I agree, it's a hodgepodge. Apple has their secure enclave (which doesn't quite act like a TPM, even though it theoretically could), and there exist vendors who could theoretically include a TEE in their phones (right now they're almost entirely limited to special "government-specific" use cases).

And I'm ignoring Samsung's solution (which is basically snake oil).

Intel's SGX would be great, provided that the industry suddenly switches to X86 for mobile (which I don't think is going to happen).

The mobile industry is way too fragmented from a hardware perspective for any type of trusted computing platform to achieve even a modicum of install base. That might change in the future, but I wouldn't bet on it.

[walterbell]

Intel is slowly inching their way onto smaller devices (compute stick, 7" fanless tablets with TPM & TXT). While Google's Project Ara may look like a lab experiment, the Panasonic FZ-M1 is shipping with multiple peripheral "modules", so there's at least one proof point for modular devices with a radio.

If modular mobile architectures succeed, there will be a better chance of combining one's preferred hardware TCB with one's preferred sensors. Sometimes, it only takes one counterexample to move entire markets, look at the time interval between the first Galaxy Note and Apple iPhone 6.

[tptacek]

Secure enclaves are very useful tools for OS design, but that's not the kind of security we're talking about here. Enterprises can't easily exploit processor protected VMs and address spaces to, say, prevent PII from leaking. By and large, companies aren't losing data to VMWare jailbreaks; they're losing it to much, much more prosaic attacks.

[walterbell]

If every endpoint could support at least two isolated enclaves, it would be feasible for enterprises to isolate some high-value info assets to an internal VPN that is isolated to one of the enclaves, with the other exposed to risky public channels and attacks.