TPM is basically never for your benefit. It's becoming a requirement because Microsoft is going to one day say "you can only run apps installed from the Windows Store, because everything else is insecure" and lock down the software market. Valve knows this which is why they're going so hard on the Steam Deck and Linux.
TPM actually provides some useful components to isolate encryption outside of Ring 0, which is a trust win. But any technology must be weighted against its power to oppress.
And its power to make the system less secure. Isolating things outside ring 0 means malware can isolate itself outside ring 0 as well, and then it’s impossible to detect or remove without throwing out the entire machine.
Which is much, much scarier than anything an ordinary rootkit might do.
I’m sure you’ll be ok sending me your social security number, home address, bank login details, credit card number, a copy of all the files on your hard drive…
Sure, but does a grandmother’s Solitaire & Facebook PC really need quick encrypting and decrypting? Anyone not dealing with sensitive info doesn’t need one.
Sure there are. If it gets compromised with malicious code, I have no way of removing it.
I can protect ring 0. I can keep crap out of ring 0. If all else fails, I can nuke everything in ring 0 and boot a fresh OS installation. But I can’t do a single bleeping thing except throw out the whole machine if malware takes over ring -1.
This is already the case with your motherboard firmware, which fTPM is a part of. You are correct in that you have no real way to handle malware in it except throw it away. This doesn’t change in any way if you get rid of TPM.
It’s the way everything is moving. Hardware protected keys can be very useful but it’s a double edged sword. It’s more secure but also allows companies to lock consumers out.
We need rules that say when this tech is used the consumer still gets full control over it. Like what Google does with their Pixel phones and the Titan chip. Not what Apple does.
It’s only more secure until someone discovers yet another RCE bug in the firmware, and then you’ve got malware in your machine that’s impossible to detect or remove.
Like what google does? You mean disallowing people who use a privacy respecting android rom from using their banking apps and such? Soon very possibly banking websites included?
yes, the reason is to securely store cryptographic keys. even your own. It comes preloaded with microsoft ones usually, but you’re free to delete them and install your own
Sadly, I agree. I’m at the point now where as long as I’m not trying to game I can thrive on Linux. But even then I spend way more time than necessary getting things to work that do so out of the box on Windows. We have a long way to go before legacy apps is the only reason to run it.
Personally I found the time I saved from not having any control over my system has more than made up for tinkering that I have to do to get things running. My laptop would regularly become unusable for 20+ minutes on windows because of disk performance issues, and I as the user had no means to prevent windows from running the service that locked everything up. That along with other times windows just decides your use case is less important have added up to far more time then having to debug a game here and there
The people that prefer Windows for gaming are not the people that will have performance issues on an OS basis, their rig is powerful enough to run complex games, the OS based performance loss is negligible in comparison. Hell, I sometimes don’t reboot the work computer for days and it doesn’t freeze at all. The system is on an SSD and there are no hiccups nor disk performance issues. In any case, with current day prices, buying a new m2 stick and new ram is less than 100€ total, and to be honest, I’d rather pay that and be fine for 4-5 years than spend a big part of my free time trying to make witcher 3, baldur’s gate 3, path of exile, tons of steam games and league working perfectly for Linux. It’s just not worth it.
I use WSL for work because coding in a Linux environment is better but I still need access to office tools, because companies work with those tools.
Linux won the servers war, but it still has to do much to win the home/work computer war.
Ungh, yeah I used to have that problem with my laptop when I was in college.
I only booted it up for classes unless I had a test coming up I needed to study for or something. Because why the fuck would I not do that - I had a regular computer at home for everything else.
Every couple weeks, that meant it was updating instead of being available for note taking, and usually for the entire hour I needed it. Because apparently setting the updates to run during shutdown wasn’t good enough, they needed to be run on boot, because fuck you that’s why.
Linux is just… hey I should probably update this shit at some point… meh, tomorrow.
Because apparently setting the updates to run during shutdown wasn’t good enough, they needed to be run on boot, because fuck you that’s why.
Oh it also loves to install updates on shut down. So when you need to leave the class room to go home that fucking thing tells you to not cut power because it needs to install shit. Fuck you, I need to catch my bus!
Legit idgaf if you want to be plugged in for an update, if it’s inconvenient I’m unplugging it, fuck you for thinking I won’t, and it’s above 60% battery so it doesn’t matter anyway.
Maybe if my computer wasn’t buying so much avocado toast it could manage resources better.
"Long way" won't be long, because Google 2.0, err, MS' direction continues to make Win worse over time (cloudify everything, extract more data and strip more rights+control from each user, and gain more money via price-increasing subscription models) while the open source desktop ecosystem around Linux is getting noticeably better for almost every user every ~5 years or so. The era of Windows as a "pure" OS died with W7. Since W10, it's OS + integrated malware. Start of downfall.
Those things matter to you and me but we’re in the minority. As long as Johnny Gamer and Grandma Facebooker can still do their preferred activities in Windows there’s a close to zero percent chance they’ll put the effort into making the switch.
It seems unlikely Valve will ever make Windows the primary OS for their devices. And they’d lose a lot of user support if they ever required the TPM for their own software, so hopefully they wouldn’t risk it.
Why does everybody seem to think that userspace attestation is the only use for the TPM? The primary use is for data to be encrypted at rest but decrypted at boot as long as certain flags aren’t tripped. TPM is great for the security of your data if you know how to set it up.
Valve is never going to require TPM attestation to use Steam, that’s just silly. Anti-cheat companies might, but my suggestion there is to just not play games that bundle malware.
Anti-user features which are enabled by games and programs that were already anti-user before this. Hardly worth getting upset about, nothing has really changed. You already should have been avoiding them, because they were already anti-user.
TPM is basically never for your benefit. It’s becoming a requirement because Microsoft is going to one day say “you can only run apps installed from the Windows Store, because everything else is insecure” and lock down the software market. Valve knows this which is why they’re going so hard on the Steam Deck and Linux.
This is the comment I was replying to. I was simply pointing out that for a company “going hard” on SteamDeck and Linux, it’s curious that they would spend any amount of effort at all enabling the TPM to allow people to run Windows. I guess my point is I don’t think they’re “going hard” quite as much as the person I responded to thinks.
Also it was just pointing out that this specifically can affect the SteamDeck since they use an AMD processor with AMD fTPM.
I don't see how it affects the Steam Deck. It's entirely possible that the Steam Deck supports fTPM purely because it was part of the motherboard template Valve chose and it would have been more trouble to change it than to just leave it in.
They are “going hard” the way I see it. Without Valve doing legwork behind the scenes and collaborating with anticheat developers we wouldn’t even have Apex Legends running on Linux like we’ve had for a year and a half. They’ve been talking about wanting to use Linux as a viable PC gaming platform to escape Microsofts lockdown of their platform since the days of Steam Machines when Windows 8 and the new store app were giving bad signs.
Either way Valve would be silly not to provide a compatible way to use Windows on the Deck. Even though the situation is much better these days, they know very well that a lot of enthusiast PC gamers would be dismissive of the Deck if Windows couldn’t work properly on it and that word of mouth would bring less confidence in the product.
And now Imagine Linux had actually more market share on the Desktop. But for that, Linux needs at least a little more software support to be reliable for other people. And that software is usually not open source. Maybe with Flatpak, it will finally get somewhere in that regard, if there’s enough interest from people.
Most people are unable to administrate their own systems, therefore GNU/Linux–an operating system built on empowering developers and administrators–is basically unimaginable.
Microsoft and Apple have co-opted the admin duties for users, and that’s why people use their operating systems. It spares them from the disaster we all saw and experienced in the Window XP days–but that comes at a price.
It’s not software support, it’s not anythign to do with Linux. It’s a computer illiteracy problem.
Android could, in some respects, be considered linux’s biggest success story among regular users and that’s because Google co-opts admin duties.
Most people dont want an OS to be different. They are happy if it boots up and does what they want to do. It’s not lazy, it’s an active disagreement with the premise.
This is why nobody upgrades to Windows 10 from 7, or to 11 from 10. Security risks and lack of features aside, their OS just works for them.
Sorry but that’s just wrong. Enough people simply don’t even consider Linux because their needed software doesn’t work + there’s no equivalent alternative. And my PC/OS is not a hobby or a Ideology. It’s a tool that I use to work with.
Is it really wrong? Do you have numbers? I think the most people claim above is at least plausible. It surely fits my personal experience, but that is of course not worth much.
I would argue that most people use their PC for web browsing, light photo editing and personal office stuff and maybe gaming (at least outside work) and those people are not affected by “the software I need does not work and there is no alternative”.
Your first point is web browsing. Even that doesn‘t work properly on a linux desktop lol. Browser performance is abysmal because the browsers lack out of the box support for hardware acceleration. Even if you get it to work it might not work reliably and an update might break it again.
Try using a discord call and open a youtube video in 4k at the same time on a a freshly installed linux desktop. The audio will be choppy and the video will drop frames like crazy. Just moving around windows on your desktop is not nearly as smooth as it is on windows.
You seem to be very misinformed. Browsers do not lack hardware acceleration. Some distributions do not include the necessary packets in their default configuration. Some. And when you get it to work, like in Arch Linux, where almost nothing is installed by default, it works flawlessly for years, never had an update breaking browser hardware acceleration.
I can run 12 4k youtube videos at the same time and route the audio to different channels of my different audio devices AND accept several calls from different webapps and the only thing that is not smooth is your way of discussing things LOL
I‘ve had this issue on several distros and multiple friends have the same issue. Video hardware acceleration in a browser is a mess. This is definitely not only affecting me as there is a significant amount of complaints on forums and reddit.
And there is no way that the average computer user will use arch. And as long as you gotta fiddle around with your system to get even the most basic shit running smoothly like watching a high resolution youtube video and moving around windows on your other screen at the same time linux will stay irrelevant as a desktop os. It‘s still a system for nerds and I kinda feel like that this is okay.
I would argue that most people use their PC for web browsing, light photo editing
Maybe just me but I know nobody who still uses a PC for this things anyway. The vast majority of people use their smartphones or tablets for basic stuff like that. People who still use a PCs or Laptops, usually do more work than that.
Gaming is fine if you use Steam and the compatibility layer or jump through hoops, and don't play basically anything online.
The photo editing tools on Linux are dogshit.
Web browsing is fine, but not if you want to stream any content, because no one will serve you anything even medium quality without DRM.
Office stuff can kind of be replaced, but mostly by using the browser versions of the shit people actually use, because the tools to collaborate with others (particularly non-techy people) don't exist for open source alternatives.
The software available is absolutely a massive limitation.
Basically the entire multiplayer space is locked out. It's a massive compromise. And every platform that isn't Steam requires significant manual configuration and still has issues.
No, they're not good. And they're not suitable for any normal person because the UX is a dumpster fire.
Nobody with normal tv/movie content gives you comparable quality on Linux.
Yes, normal people do need to collaborate. And no, none of the office options on Linux are capable of functional collaboration for normal people, except Google/microsoft through browser nonsense.
Basically the entire multiplayer space is locked out.
Not all multiplayer games use this anti cheat techniques (and those might just be working in the near future anyway). CS:Go works perfectly, Rocket League does, Dota 2 does, LoL did at least (I don’t know what they’re up to these days), 7 days to die does, paradox grand strategy does, Mordhau does, Path of Exile does, and those are only sone of the games I personally can confirm.
And they’re not suitable for any normal person because the UX is a dumpster fire.
People who use Photoshop professionally mostly agree, that GIMP is a great app that has just a few drawbacks compared zo photoshop. The UI was a dumpster fire, but they sorted that out. Photo Editing is on par with photoshop, at least with other free plugins. If your UX sucks, maybe it’s an error on osi layer 8.
Nobody with normal tv/movie content gives you comparable quality on Linux.
I’m still running 1080p on everything and Netflix delivers 1080p to all my linux boxes. Is there a problem with 4k?
Yes, normal people do need to collaborate. And no, none of the office options on Linux are capable of functional collaboration for normal people, except Google/microsoft through browser nonsense.
Which tools on windows allow easy collaborative office projects other than microsoft or google? Well, other than cryptpad, OnlyOffice, koofr, almost every nextcloud provider, etherpad…
I am a gamer and I run into “the software doesnt do what I want, and theres no way around it/alternative” very often.
almost always cause I want to run another file in the same proton instance of a game to install a mod or do something else.
Or because something just doesnt work, despite following the instructions and others getting it to work.
Like, Cyberpunk is my most recent example. CET doesnt work, followed the guide, installed the packages the guide said to, still nothing. It doesnt prevent me from running the game, but it certainly stops me from enjoying it the way i want to.
I think it’s more that there’s a perception of things not being compatible with Linux nowadays. A lot of the games that didn’t work 5 years ago now do, and I’m still seeing people complain that games like Halo Infinite don’t work on there when they actually do.
The only things I can think of that aren’t compatible and required for some tasks are Photoshop and professional CAD/CAE software. For >90% of the population Linux should be able to handle everything they need
Realistically windows is really good at repairing itself (or just getting it to a state where its usable again, to most users would be ‘repaired’).
Until linux has some sort of system like this, its just not worth the headache to 99% of users. The linux errors aren’t even that descriptive when they happen, and could be cause by like anything.
they dont even bother to give anything else than an error code which is applicable to 482885 different roots of errors.
Indeed the repairing functionality works. but yeah. the problem will be solved. linux has moved exceptional towards usability and will continue to do so.
It will never be the year of the linux desktop, until linux is easy to use and easy to troubleshoot and fix.
and let me tell you, every minor problem requiring some kind of arcane terminal ritualism in ancient enochian that only veteran sysadmins know, is not, and will never be, easy to use or troubleshoot.
There, I just gave you 2 ways to turn that arcane terminal ritualism in ancient enochian that only veteran sysadmins know, into a plain english service manual that any literate human being can use to figure out basically any terminal application ever.
Yeah, I’ve done --help. It doesnt make it simple. and it doenst magically let you figure out how to solve the problem, assuming you even know what package is causing the problem.
I’ve gone through more than enough fixing of more than enough problems as an average, not-sysadmin person. I know how bullshit it is. Just because you are used to it doesnt make it easier for regular people to use.
Microsoft has done a lot of shit wrong, but the one thing they got right is the usability of the OS, how any idiot can be sat infront of a computer and know what they’re doing with less than a day of faffing about, and can easily fix most common problems in a few clicks.
I can’t speak for other distributions, but Pop!_OS has had a “Refresh Install” option for a while now that does exactly this. This hasn’t happened often, but there have been a couple of times when something borked my system to the point of making it no longer boot, and re-running the installer in “Refresh Install” mode got everything back and running within 30 minutes while preserving all of my non-system files; in particular this meant that I didn’t have to re-download my Steam and other locally installed games, which is significant because they are the largest apps on my system.
Fedora doesn't provide binary drivers even if they exist, you need to get a pluggable wifi usb tool that is supported and install the repositories and configure binary drivers to get wifi working on a huge amount of laptops.
Ubuntu does provide binary drivers but the configuration tool can just crash by itself a lot of the time and just fail to load the driver.
Ubuntu's desktop sometimes just crashes.
Fedora uses some strange memory compression driver to handle its paging file and this can sometimes just crash the OS entirely by itself.
These are major issues that shouldn't be issues, they should either have been fixed as a priority for the crashes or have some kind of workaround that doesn't require owning specific USBs that regular people just won't have. There's no reason for the memory compression thing either, it probably doesn't do that much for performance overall but random hard-locks are a huge negative. Linux is its own worst enemy on the desktop.
Sometimes the issues with WiFi chipsets is not the distro but the manufacturer. Debian for instance now includes non-free firmware on its installation ISO image, but some manufacturers do not allow the distribution (e.g. Broadcom) of firmware, so Debian can’t legally include them. And unfortunately the manufacturers don’t make it easy to “just download the firmware” so you can put it on the USB stick so the installer can see them. (Literally the only issue with putting Debian on my old 2013 Macbook Pro was the Broadcom firmware - but fortunately, having a Debian desktop I could install the firmware downloader there to get the two files the installer needed).
This is not a fault of the Linux distro, but a fault of the hardware manufacturer. Unfortuantely, like the smell of piss in a subway, we all have to deal with Broadcom.
Why do you need full disk encryption in your day to day life? Are you a secret agent? I feel like that would give you our though.
It’s not a matter that I would have nothing to hide, this defense is stupid. It’s a matter that you should use a security adapted to your need, because the cost doesn’t offset the benefit otherwise. And with disk encryption you will far more often be sorry than happy if you’re a normal person.
People are imperfect. People have left laptops full of personal and/or commercially sensitive data on trains or planes, had them stolen from cars and houses etc. Full disc encryption is a defence against data breaches especially for computers that are not bolted down. Or it might be as simple as a person not wanting the embarrassment of their porn stash being found.
You are only seeing what TPM is now. Not what TPM will become when it become an entire encrypted computing processor capable of executing any code while inspection is impossible.
Yes, it’s right in the name “trusted platform module”. There is no secret that their ambition is to become a space to run code outside the user’s reach and scrutiny.
They start with the most legitimate and innocuous purpose. Once it is adopted and ubiquitous it will not suffer the fate of the other attempts and rotting on the vine.
Then surprise TPM 5.0 become full scale full speed trusted execution environment and it’s too late to do anything about it. Eventually , non trusted processing capability will be phased out and only Intel and signed code will run.
I’m still on the hunt for a desktop Linux distro that has no security features or passwords. My usage for this may not be common but it can’t be rare enough that there are zero options
I agree that there should be an easy setting to at least allow updates without password. I installed Manjaro for my mom, after a while she complained “there are updates every day and I need to input the password too many times”
I’m an engineer with trade secrets on his laptop. I’ve heard of dozens of people getting laptops stolen from their cars that they left for like ten or fifteen minutes.
The chances are slims, but if it happens I’m in deep trouble whether those secrets leak of not. I’m not taking the risk. I’m encrypting my disk.
It’s not like there’s a difference in performance nowadays.
TPM’s not going to help with that situation, though, right? Either you’re typing in your encryption password on boot (in which case you don’t need TPM to keep your password), or you’re not, in which case the thief has your TPM module with the password in it.
From what I understand, TPM is “trusted” because of the fact the secrets it contains are supposed to be safe from an attacker with hardware access.
This is what makes it good at protecting data in case of a stolen laptop. This is also what makes it good at enforcing offline DRM or any kind of system where manufacturers can restrict the kind of software users can run on their hardware.
I mean, i do have some stuff that i encrypt, but encrypting the folder or packing it on a small partitiin and encrypting only this fs after booting makes more sense to me.
so you never caught a team of government officials in your living room brute forcing your bootloader at 4am as you got up to use the bathroom, huh. Lucky guy.
“Maybe use it for the boot-time ‘gather entropy from different sources,’ but clearly it should not be used at runtime.”
Good idea. Ask it during boot/insmod for some hardware-random bits to seed Linux’s usual software-only CSPRNG, then just use that.
And even that might not be a great idea. I wouldn’t be surprised if the fTPM RNG is subtly not-entirely-random, at some alphabet agency’s behest. I remember there being a controversy over rdrand for this reason…
The fix with any possible issues with rdrand is the same here. When entropy is gathered from many sources including hardware instructions, any nefarious plant in the chip is drowned out in a sea of noise.
I’ve had a weird system-wide stutter for months and the usual googling and troubleshooting didn’t help… omg. This might be it. Thank you Linus and thank you op.
I had it on my Windows 11 PC for a long time. I use this PC for music production and it was infuriating - the sound would just cut out intermittently like the computer couldn’t keep up. I tried lots of things, including an expensive CPU upgrade. In the end Asus released a new BIOS for the motherboard to address this AMD stutter, and that fixed it.
I don’t really know anything about that. Currently HWiNFO64 shows Microcode Update Revision A201025 and SMU Firmware Revision 56.74.0. I don’t know whether those are the numbers you’re asking for, or what they were while it was still having problems.
I always just kill my TPM chip. It’s so obvious tpm will be used in the future for application offline DRM. They will executed encrypted operations under the TPM veil and decompilers will become unusable.
of course it waste of time, even the AMD don’t care about that so why need to care? From this, I don’t think to ever buying machine with AMD proc on it.
the module can cause intermittent stuttering, depending on which Ryzen processor you’re using. It appeared when the fTPM was in use, it would access its flash storage via a serial interface, and when doing so, held up activity by the rest of the system.
Add comment