TPM is basically never for your benefit. It’s becoming a requirement because Microsoft is going to one day say “you can only run apps installed from the Windows Store, because everything else is insecure” and lock down the software market. Valve knows this which is why they’re going so hard on the Steam Deck and Linux.
[This comment has been deleted by an automated system]
This is why I keep my initrd tattooed as a barcode on my testicles.
“Please teabag the web cam to boot.”
Kernel upgrades are very… Painful.
I don’t know why I keep hearing of security measures to stop someone sleuthing into bootloaders.
Am I the only person using Linux who isn’t James Bond?
[This comment has been deleted by an automated system]
I’m an engineer with trade secrets on his laptop. I’ve heard of dozens of people getting laptops stolen from their cars that they left for like ten or fifteen minutes.
The chances are slims, but if it happens I’m in deep trouble whether those secrets leak of not. I’m not taking the risk. I’m encrypting my disk.
It’s not like there’s a difference in performance nowadays.
TPM’s not going to help with that situation, though, right? Either you’re typing in your encryption password on boot (in which case you don’t need TPM to keep your password), or you’re not, in which case the thief has your TPM module with the password in it.
From what I understand, TPM is “trusted” because of the fact the secrets it contains are supposed to be safe from an attacker with hardware access.
This is what makes it good at protecting data in case of a stolen laptop. This is also what makes it good at enforcing offline DRM or any kind of system where manufacturers can restrict the kind of software users can run on their hardware.
It’s 30% legitimate concern over a non-negligible risk of government overreach, 70% having fun pretending to be James Bond.
I’m still on the hunt for a desktop Linux distro that has no security features or passwords. My usage for this may not be common but it can’t be rare enough that there are zero options
Ubuntu, no encryption, select boot to desktop by default when the system installs.
Like, really?
Still smashing in passwords left and right
Ah so you want the windows 98 experience, root access by default all the time without passwords or extra prompts.
Maybe setting auto login and sudo without password can be almost enough? https://askubuntu.com/questions/147241/execute-sudo-without-password
I agree that there should be an easy setting to at least allow updates without password. I installed Manjaro for my mom, after a while she complained “there are updates every day and I need to input the password too many times”
I mean, i do have some stuff that i encrypt, but encrypting the folder or packing it on a small partitiin and encrypting only this fs after booting makes more sense to me.
TPM bad, put your secrets on a proper encryption peripheral, like a smartcard running javacardOS
TPM will turn into cpu-bound DRM, the more you use it, the more this cancer will grow
[This comment has been deleted by an automated system]
You are only seeing what TPM is now. Not what TPM will become when it become an entire encrypted computing processor capable of executing any code while inspection is impossible.
Imagine denuvo running at ring level -1
[This comment has been deleted by an automated system]
Yes, it’s right in the name “trusted platform module”. There is no secret that their ambition is to become a space to run code outside the user’s reach and scrutiny.
They start with the most legitimate and innocuous purpose. Once it is adopted and ubiquitous it will not suffer the fate of the other attempts and rotting on the vine.
Then surprise TPM 5.0 become full scale full speed trusted execution environment and it’s too late to do anything about it. Eventually , non trusted processing capability will be phased out and only Intel and signed code will run.
Today I learned that I actually set up secure boot properly. Neat!
Trusting some obscure hardware might be a bad idea then.
Support for old software is now the only reason to use windows.
I’m a big fan of Linux, but I can’t believe you really think this.
I legitimately have not booted into windows for years.
Sadly, I agree. I’m at the point now where as long as I’m not trying to game I can thrive on Linux. But even then I spend way more time than necessary getting things to work that do so out of the box on Windows. We have a long way to go before legacy apps is the only reason to run it.
Personally I found the time I saved from not having any control over my system has more than made up for tinkering that I have to do to get things running. My laptop would regularly become unusable for 20+ minutes on windows because of disk performance issues, and I as the user had no means to prevent windows from running the service that locked everything up. That along with other times windows just decides your use case is less important have added up to far more time then having to debug a game here and there
Ungh, yeah I used to have that problem with my laptop when I was in college.
I only booted it up for classes unless I had a test coming up I needed to study for or something. Because why the fuck would I not do that - I had a regular computer at home for everything else.
Every couple weeks, that meant it was updating instead of being available for note taking, and usually for the entire hour I needed it. Because apparently setting the updates to run during shutdown wasn’t good enough, they needed to be run on boot, because fuck you that’s why.
Linux is just… hey I should probably update this shit at some point… meh, tomorrow.
Because apparently setting the updates to run during shutdown wasn’t good enough, they needed to be run on boot, because fuck you that’s why.
Oh it also loves to install updates on shut down. So when you need to leave the class room to go home that fucking thing tells you to not cut power because it needs to install shit. Fuck you, I need to catch my bus!
Legit idgaf if you want to be plugged in for an update, if it’s inconvenient I’m unplugging it, fuck you for thinking I won’t, and it’s above 60% battery so it doesn’t matter anyway.
Maybe if my computer wasn’t buying so much avocado toast it could manage resources better.
The people that prefer Windows for gaming are not the people that will have performance issues on an OS basis, their rig is powerful enough to run complex games, the OS based performance loss is negligible in comparison. Hell, I sometimes don’t reboot the work computer for days and it doesn’t freeze at all. The system is on an SSD and there are no hiccups nor disk performance issues. In any case, with current day prices, buying a new m2 stick and new ram is less than 100€ total, and to be honest, I’d rather pay that and be fine for 4-5 years than spend a big part of my free time trying to make witcher 3, baldur’s gate 3, path of exile, tons of steam games and league working perfectly for Linux. It’s just not worth it.
I use WSL for work because coding in a Linux environment is better but I still need access to office tools, because companies work with those tools.
Linux won the servers war, but it still has to do much to win the home/work computer war.
“Long way” won’t be long, because Google 2.0, err, MS’ direction continues to make Win worse over time (cloudify everything, extract more data and strip more rights+control from each user, and gain more money via price-increasing subscription models) while the open source desktop ecosystem around Linux is getting noticeably better for almost every user every ~5 years or so. The era of Windows as a “pure” OS died with W7. Since W10, it’s OS + integrated malware. Start of downfall.
Those things matter to you and me but we’re in the minority. As long as Johnny Gamer and Grandma Facebooker can still do their preferred activities in Windows there’s a close to zero percent chance they’ll put the effort into making the switch.
- Hot Saucerman ( @dingus@lemmy.ml ) English26•11 months ago
https://hothardware.com/news/steam-deck-tpm-support-install-windows-11
I mean I generally agree with you, but the SteamDeck runs on an AMD processor with a fTPM that Valve slowly added support for.
It seems unlikely Valve will ever make Windows the primary OS for their devices. And they’d lose a lot of user support if they ever required the TPM for their own software, so hopefully they wouldn’t risk it.
Why does everybody seem to think that userspace attestation is the only use for the TPM? The primary use is for data to be encrypted at rest but decrypted at boot as long as certain flags aren’t tripped. TPM is great for the security of your data if you know how to set it up.
Valve is never going to require TPM attestation to use Steam, that’s just silly. Anti-cheat companies might, but my suggestion there is to just not play games that bundle malware.
Whatever is touted as the primary use doesn’t matter as much as what anti-user features it enables.
Anti-user features which are enabled by games and programs that were already anti-user before this. Hardly worth getting upset about, nothing has really changed. You already should have been avoiding them, because they were already anti-user.
I like to think that Valve knows better than to try that.
- Hot Saucerman ( @dingus@lemmy.ml ) English4•11 months ago
I doubt they would risk it as well, but the point is that it exists on the SteamDeck and can be utilized.
So what’s your point?
- Hot Saucerman ( @dingus@lemmy.ml ) English3•11 months ago
TPM is basically never for your benefit. It’s becoming a requirement because Microsoft is going to one day say “you can only run apps installed from the Windows Store, because everything else is insecure” and lock down the software market. Valve knows this which is why they’re going so hard on the Steam Deck and Linux.
This is the comment I was replying to. I was simply pointing out that for a company “going hard” on SteamDeck and Linux, it’s curious that they would spend any amount of effort at all enabling the TPM to allow people to run Windows. I guess my point is I don’t think they’re “going hard” quite as much as the person I responded to thinks.
Also it was just pointing out that this specifically can affect the SteamDeck since they use an AMD processor with AMD fTPM.
They are “going hard” the way I see it. Without Valve doing legwork behind the scenes and collaborating with anticheat developers we wouldn’t even have Apex Legends running on Linux like we’ve had for a year and a half. They’ve been talking about wanting to use Linux as a viable PC gaming platform to escape Microsofts lockdown of their platform since the days of Steam Machines when Windows 8 and the new store app were giving bad signs.
Either way Valve would be silly not to provide a compatible way to use Windows on the Deck. Even though the situation is much better these days, they know very well that a lot of enthusiast PC gamers would be dismissive of the Deck if Windows couldn’t work properly on it and that word of mouth would bring less confidence in the product.
Does EAC work correctly playing Apex Legends under Linux? If it does I’ll download the game tonight.
so what’s your point?
We use the TPM pretty extensively with no Windows in the environment.
But with a reason, I’m sure. There’s no reason for the everyday consumer to need one, other than Microsoft wanting more control.
Data encryption and decryption without entering a password is a pretty darn good reason.
Sure, but does a grandmother’s Solitaire & Facebook PC really need quick encrypting and decrypting? Anyone not dealing with sensitive info doesn’t need one.
Yes, because they are the least likely to know they are a part of a botnet
How would at-rest encryption make it less likely that your computer joins a botnet, or more likely that you’d notice if it did?
There’s no downside to having it. There’s many downsides to not having it. This seems pretty cut and dry to me.
- argv_minus_one ( @argv_minus_one@beehaw.org ) English5•11 months ago
There’s no downside to having it.
Sure there are. If it gets compromised with malicious code, I have no way of removing it.
I can protect ring 0. I can keep crap out of ring 0. If all else fails, I can nuke everything in ring 0 and boot a fresh OS installation. But I can’t do a single bleeping thing except throw out the whole machine if malware takes over ring -1.
This is already the case with your motherboard firmware, which fTPM is a part of. You are correct in that you have no real way to handle malware in it except throw it away. This doesn’t change in any way if you get rid of TPM.
TPM actually provides some useful components to isolate encryption outside of Ring 0, which is a trust win. But any technology must be weighted against its power to oppress.
- argv_minus_one ( @argv_minus_one@beehaw.org ) 3•11 months ago
And its power to make the system less secure. Isolating things outside ring 0 means malware can isolate itself outside ring 0 as well, and then it’s impossible to detect or remove without throwing out the entire machine.
Which is much, much scarier than anything an ordinary rootkit might do.
yes, the reason is to securely store cryptographic keys. even your own. It comes preloaded with microsoft ones usually, but you’re free to delete them and install your own
- argv_minus_one ( @argv_minus_one@beehaw.org ) 3•11 months ago
…so far.
It’s the way everything is moving. Hardware protected keys can be very useful but it’s a double edged sword. It’s more secure but also allows companies to lock consumers out.
We need rules that say when this tech is used the consumer still gets full control over it. Like what Google does with their Pixel phones and the Titan chip. Not what Apple does.
Like what google does? You mean disallowing people who use a privacy respecting android rom from using their banking apps and such? Soon very possibly banking websites included?
True but I was only referring to how they let you fully unlock and replace the trust keys on the Pixel. So they at least pretend to give some freedom, for now.
To be clear I think pretty much all of these companies, Google, Apple, Oracle, Microsoft, etc are outright melavanent. The app ecosystem and buy-in is a whole other ball of suck.
- argv_minus_one ( @argv_minus_one@beehaw.org ) 3•11 months ago
It’s only more secure until someone discovers yet another RCE bug in the firmware, and then you’ve got malware in your machine that’s impossible to detect or remove.
Because it’s secure.
Against you.
the average citizen has nothing to hide therefore deserves no privacy
I think you forgot a /s
I’m sure you’ll be ok sending me your social security number, home address, bank login details, credit card number, a copy of all the files on your hard drive…
I mean, you deserve no privacy right?
You do realize that he is talking about a RNG gen and not the TPM?
It is talking about the RNG built into the fTPM.
TPM is pretty important in any modern OS.
Sure you don’t need it. But it’s not 2013. It should be standard along with FDE
And now Imagine Linux had actually more market share on the Desktop. But for that, Linux needs at least a little more software support to be reliable for other people. And that software is usually not open source. Maybe with Flatpak, it will finally get somewhere in that regard, if there’s enough interest from people.
its not about the software support.
its because people are lazy to learn. most people dont even know that an OS can be different.
for them windows is defacto THE PC.
Sorry but that’s just wrong. Enough people simply don’t even consider Linux because their needed software doesn’t work + there’s no equivalent alternative. And my PC/OS is not a hobby or a Ideology. It’s a tool that I use to work with.
Is it really wrong? Do you have numbers? I think the most people claim above is at least plausible. It surely fits my personal experience, but that is of course not worth much.
I would argue that most people use their PC for web browsing, light photo editing and personal office stuff and maybe gaming (at least outside work) and those people are not affected by “the software I need does not work and there is no alternative”.
I would argue that most people use their PC for web browsing, light photo editing
Maybe just me but I know nobody who still uses a PC for this things anyway. The vast majority of people use their smartphones or tablets for basic stuff like that. People who still use a PCs or Laptops, usually do more work than that.
I am a gamer and I run into “the software doesnt do what I want, and theres no way around it/alternative” very often.
almost always cause I want to run another file in the same proton instance of a game to install a mod or do something else.
Or because something just doesnt work, despite following the instructions and others getting it to work.
Like, Cyberpunk is my most recent example. CET doesnt work, followed the guide, installed the packages the guide said to, still nothing. It doesnt prevent me from running the game, but it certainly stops me from enjoying it the way i want to.
You named multiple things with major compromises.
Gaming is fine if you use Steam and the compatibility layer or jump through hoops, and don’t play basically anything online.
The photo editing tools on Linux are dogshit.
Web browsing is fine, but not if you want to stream any content, because no one will serve you anything even medium quality without DRM.
Office stuff can kind of be replaced, but mostly by using the browser versions of the shit people actually use, because the tools to collaborate with others (particularly non-techy people) don’t exist for open source alternatives.
The software available is absolutely a massive limitation.
Gaming is fine unless the game has kernel level anti cheat. Minor compromise.
Photo editing tools are good enough for the needs of normal people. Gimp and Darktable are not dogshit, no compromise.
DRM under Firefox works. Never had a problem with it plus most people don’t even watch on computers. No compromise.
Non techy people mostly not do collaborative projects. Plus registering for any cloud with office and collaboration is easy. Minor compromise.
Basically the entire multiplayer space is locked out. It’s a massive compromise. And every platform that isn’t Steam requires significant manual configuration and still has issues.
No, they’re not good. And they’re not suitable for any normal person because the UX is a dumpster fire.
Nobody with normal tv/movie content gives you comparable quality on Linux.
Yes, normal people do need to collaborate. And no, none of the office options on Linux are capable of functional collaboration for normal people, except Google/microsoft through browser nonsense.
Your first point is web browsing. Even that doesn‘t work properly on a linux desktop lol. Browser performance is abysmal because the browsers lack out of the box support for hardware acceleration. Even if you get it to work it might not work reliably and an update might break it again.
Try using a discord call and open a youtube video in 4k at the same time on a a freshly installed linux desktop. The audio will be choppy and the video will drop frames like crazy. Just moving around windows on your desktop is not nearly as smooth as it is on windows.
You seem to be very misinformed. Browsers do not lack hardware acceleration. Some distributions do not include the necessary packets in their default configuration. Some. And when you get it to work, like in Arch Linux, where almost nothing is installed by default, it works flawlessly for years, never had an update breaking browser hardware acceleration.
I can run 12 4k youtube videos at the same time and route the audio to different channels of my different audio devices AND accept several calls from different webapps and the only thing that is not smooth is your way of discussing things LOL
I‘ve had this issue on several distros and multiple friends have the same issue. Video hardware acceleration in a browser is a mess. This is definitely not only affecting me as there is a significant amount of complaints on forums and reddit.
And there is no way that the average computer user will use arch. And as long as you gotta fiddle around with your system to get even the most basic shit running smoothly like watching a high resolution youtube video and moving around windows on your other screen at the same time linux will stay irrelevant as a desktop os. It‘s still a system for nerds and I kinda feel like that this is okay.
For technical people, maybe. For the avg user Windows and Mac are the computer and Linux is that thing nerds talk about sometimes.
Most people dont want an OS to be different. They are happy if it boots up and does what they want to do. It’s not lazy, it’s an active disagreement with the premise.
This is why nobody upgrades to Windows 10 from 7, or to 11 from 10. Security risks and lack of features aside, their OS just works for them.
These things are only a concern to enthusiasts.
It’s also why, as shitty behavior as it is, MS getting aggressive about upgrading to 10/11 is a net good, from a security standpoint.
I am intentionally ignoring the “10/11 is just spyware with an OS bundled in” thing in the above statement.
Linux still has too many issues, for example…
- Fedora doesn’t provide binary drivers even if they exist, you need to get a pluggable wifi usb tool that is supported and install the repositories and configure binary drivers to get wifi working on a huge amount of laptops.
- Ubuntu does provide binary drivers but the configuration tool can just crash by itself a lot of the time and just fail to load the driver.
- Ubuntu’s desktop sometimes just crashes.
- Fedora uses some strange memory compression driver to handle its paging file and this can sometimes just crash the OS entirely by itself.
These are major issues that shouldn’t be issues, they should either have been fixed as a priority for the crashes or have some kind of workaround that doesn’t require owning specific USBs that regular people just won’t have. There’s no reason for the memory compression thing either, it probably doesn’t do that much for performance overall but random hard-locks are a huge negative. Linux is its own worst enemy on the desktop.
Sometimes the issues with WiFi chipsets is not the distro but the manufacturer. Debian for instance now includes non-free firmware on its installation ISO image, but some manufacturers do not allow the distribution (e.g. Broadcom) of firmware, so Debian can’t legally include them. And unfortunately the manufacturers don’t make it easy to “just download the firmware” so you can put it on the USB stick so the installer can see them. (Literally the only issue with putting Debian on my old 2013 Macbook Pro was the Broadcom firmware - but fortunately, having a Debian desktop I could install the firmware downloader there to get the two files the installer needed).
This is not a fault of the Linux distro, but a fault of the hardware manufacturer. Unfortuantely, like the smell of piss in a subway, we all have to deal with Broadcom.
Most people are unable to administrate their own systems, therefore GNU/Linux–an operating system built on empowering developers and administrators–is basically unimaginable.
Microsoft and Apple have co-opted the admin duties for users, and that’s why people use their operating systems. It spares them from the disaster we all saw and experienced in the Window XP days–but that comes at a price.
It’s not software support, it’s not anythign to do with Linux. It’s a computer illiteracy problem.
Android could, in some respects, be linux’s biggest success story among regular users and that’s because Google co-opts admin duties.
- argv_minus_one ( @argv_minus_one@beehaw.org ) 3•11 months ago
It spares them from the disaster we all saw and experienced in the Window XP days
What disaster?
Did you ever try using a non-power user’s computer with Windows XP?
- argv_minus_one ( @argv_minus_one@beehaw.org ) 2•11 months ago
Yes, but a long time ago. Remind me?
Whoops. Thanks. I corrected the URL in the post.
The wonders of modern technology!
I always just kill my TPM chip. It’s so obvious tpm will be used in the future for application offline DRM. They will executed encrypted operations under the TPM veil and decompilers will become unusable.
Just disabled it in BIOS/UEFI. Should I disable security device support too, or doesn’t it matter when fTPM is disabled?
Or depends what they mean by security service support. Presumably some kind of external (usb ?) device ?
I love how Torvalds always calls it like he sees it.
insert nvidia middle finger gif here
Inserted
Honestly, I go watch this video from time to time whenever I need a lift.
Would love this. I’m still getting the ftpm stutters and there’s no way to disable it in my motherboards bios.
Wow I’m surprised you can’t disable it. I can disable it on my desktop BIOS (Gigabyte X570S Pro AX) and my work laptop BIOS (Dell G15).
You use a Dell G15 for work?
I do, yeah.
What is it that you do?
Website developer, pretty standard job.
I didn’t know this was a thing, it explains so much.
Based linus. Kill it, it’s pointless
I’ve had a weird system-wide stutter for months and the usual googling and troubleshooting didn’t help… omg. This might be it. Thank you Linus and thank you op.
I had it on my Windows 11 PC for a long time. I use this PC for music production and it was infuriating - the sound would just cut out intermittently like the computer couldn’t keep up. I tried lots of things, including an expensive CPU upgrade. In the end Asus released a new BIOS for the motherboard to address this AMD stutter, and that fixed it.
Which AGESA version?
Which AGESA version?
I don’t really know anything about that. Currently HWiNFO64 shows Microcode Update Revision A201025 and SMU Firmware Revision 56.74.0. I don’t know whether those are the numbers you’re asking for, or what they were while it was still having problems.
Thanks for the info! I’ll have to check that against what I’m using.
- RoundSparrow ( @RoundSparrow@lemmy.ml ) 25•11 months ago
the module can cause intermittent stuttering, depending on which Ryzen processor you’re using. It appeared when the fTPM was in use, it would access its flash storage via a serial interface, and when doing so, held up activity by the rest of the system.
Could this be why I get stuttering in games after enabling TPM installing windows 11?
- argv_minus_one ( @argv_minus_one@beehaw.org ) English15•11 months ago
“Maybe use it for the boot-time ‘gather entropy from different sources,’ but clearly it should not be used at runtime.”
Good idea. Ask it during boot/
insmodfor some hardware-random bits to seed Linux’s usual software-only CSPRNG, then just use that.And even that might not be a great idea. I wouldn’t be surprised if the fTPM RNG is subtly not-entirely-random, at some alphabet agency’s behest. I remember there being a controversy over
rdrandfor this reason…The fix with any possible issues with rdrand is the same here. When entropy is gathered from many sources including hardware instructions, any nefarious plant in the chip is drowned out in a sea of noise.
- argv_minus_one ( @argv_minus_one@beehaw.org ) English1•11 months ago
I’m no cryptographer, but that seems like an awfully dangerous assumption.
Well, it’s an fTPM, aka software, and AFAIK, no software can truly have a random RNG.
So it might be very good pseudo random at best.
- argv_minus_one ( @argv_minus_one@beehaw.org ) English1•11 months ago
It could be only mostly firmware, with a hardware RNG.
If not, and it uses a CSPRNG, then I don’t see much point in using it at all. Linux already has its own CSPRNG.
Yup. I’ve been wondering if that was the thing that’s made the v6.4 kernels so unstable on Ryzen machines.
What is that needle with a ball stuck onto it? In the photograph. Someone please help.
Microphone from a headset.