FSF Urges Moving Off Microsoft's GitHub to Protest Windows 11's Requiring TPM 2.0 - Slashdot
news.slashdot.org
TPM is a dedicated chip or firmware enabling hardware-level security, housing encryption keys, certificates, passwords, and sensitive data, "and shielding them from unauthorized access," Microsoft senior product manager Steven Hosking wrote last month, declaring TPM 2.0 to be "a non-negotiable stand...

TPM is a dedicated chip or firmware enabling hardware-level security, housing encryption keys, certificates, passwords, and sensitive data, “and shielding them from unauthorized access,” Microsoft senior product manager Steven Hosking wrote last month, declaring TPM 2.0 to be “a non-negotiable standard for the future of Windows.”

  • chicken@lemmy.dbzer0.com
    71·
    2 days ago

    Normally, offloading cryptography to a different hardware module could be seen as a good thing — but with nonfree software, it can only spell trouble for the user…

    Could someone explain more about this? What about TPM + proprietary OS is bad? What are the risks here?

    • Don_alForno@feddit.org
      19·
      2 days ago

      Here is an (old but updated) article on the topic.

      As of 2015, the main method of distributing copies of anything is over the internet, and specifically over the web. Nowadays, the companies that want to impose DRM on the world want it to be enforced by programs that talk to web servers to get copies. This means that they are determined to control your browser as well as your operating system. The way they do this is through “remote attestation”—a facility with which your computer can “attest” to the web server precisely what software it is running, such that there is no way you can disguise it. The software it would attest to would include the web browser (to prove it implements DRM and gives you no way to extract the unencrypted data), the kernel (to prove it gives no way to patch the running browser), the boot software (to prove it gives no way to patch the kernel when starting it), and anything else relating to the security of the DRM companies’ dominion over you.

      Under an evil empire, the only crack by which you can reduce its effective power over you is to have a way to hide or disguise what you are doing. In other words, you need a way to lie to the empire’s secret police. “Remote attestation” is a plan to force your computer to tell the truth to a company when its web server asks the computer whether you have liberated it.

      […]

      As of 2022, the TPM2, a new “Trusted Platform Module”, really does support remote attestation and can support DRM. The threat I warned about in 2002 has become terrifyingly real.

      Remote attestation is actually in use by “Google SafetyNet” (now part of the “Play Integrity API”), which verifies that the Android operating system running in a snoop-phone is an official Google version.

      This malicious functionality already makes it impossible to run some bank apps on GrapheneOS, which is a modified version of Android that eliminates some, though not all, of the nonfree software that Android normally contains.

      This kind of walled garden where you don’t really control your machine is where MS wants to get, and TPM2 supposedly enables them to do that or is a step in that direction.

    • Scary le Poo@beehaw.org
      01·
      2 days ago

      It’s just FUD and made up shit. I hate MS as much as anyone else, but the statement is bullshit.