The Dangers of Microsoft Pluton

Same with TPM and why it had so many critics. Some people still seem adamant to say that boot viruses are the greatest threat in the 21st century, but the economic interest are far more dangerous for general computing in my opinion. And it isn't even close.

So basically, Cory Doctorow's "The Upcoming War Against General Computation"?

https://boingboing.net/2011/12/27/the-coming-war-on-general-...

https://github.com/jwise/28c3-doctorow/blob/master/transcrip...

Don't know enough about the subject to tell if his "attempts to control general computation will converge on rootkits" prediction has held up.

Can you explain what is the issue with TPM?

I get the issue with Pluton but TPM is only a dedicated and certified secure key and random number generator that does a better job than CPUs doing it in software, and it's also a secure enclave for storing your encryption keys. Would you rather store the keys in memory where they can be easily grabbed by malicious apps like Mimikatz? Macs had the same feature for years in the T2 chip.

It's the exact system that enables wireless payment and other strong security features on your phone.

So having TPM on PCs and using it for its interested purpose is a boon for everyone's security so I don't see the issue, just FUD.

Among that, the TPM enables verification of a particular state of your system, i.e., a particular set of binaries and OS configuration. Simplifying the description of the process a bit - at every bootup it checks the checksum of all programs loaded at every boot stage (UEFI, kernel, userspace) with respect to one that is known to be approved - process called "attestation".

So in worst case, if your attestation server is very strict, any new binary installed on your machine will prevent it from booting or satisfying the attestation. This is the main concern that TPM enables.

TPM is part of the system that means I can't my phone for wireless payment or use all sorts of other apps if I also want to do something outlandish like record phone calls, change the theme or delete Facebook... and everything it achieves can be done by other means anyway, making the device's owner a 2nd class citizen is a lazy solution.

To this talk, there exists a less well-known sequel:

DEF CON 23 - Cory Doctorow - Fighting Back in the War on General Purpose Computers

https://www.youtube.com/watch?v=pT6itfUUsoQ

I've always heard this argument but never understood it, what other ways are available to have a SRTM?

2013: German Federal Government Warns on the Security Dangers of Windows 8 https://www.infosecurity-magazine.com/news/german-federal-go...

2015: Governments recognize the importance of TPM 2.0 through ISO adoption https://www.microsoft.com/security/blog/2015/06/29/governmen...

2022: Microsoft Can Kiss My A* | Do You Own Your PC? [Smart App Control] https://www.youtube.com/watch?v=Lv5xHfZnk4s&t=163s

The Trojan Platform Module (TPM)

> the TPM enables verification of a particular state of your system, i.e., a particular set of binaries and OS configuration

That is a bit misleading. The TPM is a passive device, it cannot verify any state. It is the OS who measure the system (in Linux via the IMA system). And is the Linux kernel the one that, if you have a TPM, can produce a process where a 3rd party can be sure that the measurements are "true" and "legit" (via PCR#10 extension).

As you state later, it is this 3rd party the one that assert (verify) if you are state considered OK or not.

Maybe I am too simplistic, but I do not see the evil in the TPM here, but only in the 3rd party policy.

TPM can be abused but, as a developer, I am happy that we can use the TPM for good and fair goals in open source projects.

It is the user who can decide to use the TPM or not, and should be noted that in the TCG specification it is stated that the TPM can be disabled and cleared by the user at any moment.

The common component here is Microsoft, not the TPM.

> Maybe I am too simplistic, but I do not see the evil in the TPM here, but only in the 3rd party policy.

The evil is that the "Trusted" in "Trusted Computing" and "Trusted Platform Module (TPM)" means that one deeply distrusts the user (who might tamper with the system), but instead the trust lies in the computing (trusted computing) or TPM. In other words: Trusted Computing and TPM means a disempowerment of the user.

I'm not sure if I understand your argument. As long as you can put your own things on your TPM and use it for your own good it's not too bad right? And in corporate environments it's reasonable to not own your own device right?

Sure Infineon can probably get my data, but that's far beyond the scope of my threat model.

As long as the system is open to putting your own keys on there I'm fine with it.

Indeed, so the user should not buy a computer where they're not in control of the TPM, if you can't disable it/add your own keys, then don't buy that computer

> "attempts to control general computation will converge on rootkits" prediction has held up.

If you play video games, you probably have a couple of neat kernel rootkits installed as "anti cheat".

A lot of remote proctoring stuff for exams are looking a lot like rootkits too.

EDR/XDR is also just rootkits. For security. The only thing that can stop a bad guy with a rootkit is a good guy with a rootkit, after all.

TPM has features like remote attestation and is in general a mechanism to bind data to hardware, which is interesting for DRM purposes.

Sure, there are theoretical attacks on memory, but they are far less relevant for security than the penalties I have to accept with TPM being widely established.

Not that there aren't different means, but TPM also creates unique hashes of your system which only reinforces the problems around fingerprinting.

> It's the exact system that enables wireless payment and other strong security features on your phone.

Phones suck as computing devices on every conceivable metric and are heavily locked down devices. And it is not true that you need a TPM chip to create secure transfers. I constantly do business transaction on my PC just fine.

> I'm not sure if I understand your argument. As long as you can put your own things on your TPM and use it for your own good it's not too bad right?

As long as software that uses the TPM cannot detect whether you tampered with the TPM or not, it is principally all right.

But as I wrote down: this is exactly the opposite of what trusted computing was invented for: make the machine trustable (for the companies that have control over the TPM/trusted computing), because the user is distrusted.

Agreed. For proof, just look at how so much anti virus software can be considered malware in their own right.

That rapidly converges on "you can't buy a computer and use it", because economic interests favor trusted computing devices.

> That rapidly converges on "you can't buy a computer and use it", because economic interests favor trusted computing devices.

I would rather argue that it converges to "you become more and more morally obliged to learn about hacking (and perhaps become a less and less law-abiding citizen) if you buy a computer and use it".

The remote proctoring stuff is downright dystopian. I bought an extra laptop to do tests; most people can’t do that and have to install this garbage on their daily driver.

Of course, I guess most people don’t care.

> which is interesting for DRM purposes.

You're thinking of SGX enclaves not TPM.

> TPM also creates unique hashes of your system

It doesn't. Your system creates hashes and appends to lists signed by TPM. And the point of those hashes is to be not unique, but verifiability matching known values.

What's hilarious is it doesn't seem to prevent exam cheating in any meaningful way anyway, according to some students I've chatted to.

No, I meant TPM. Media could be bound to have the TPM report certain hashes of the configuration registers that are either already set or TPM sets on system boot. Same mechanism that allows you to only open a document on specific hardware basically or allows an application to check if the system was perhaps compromised.

It really doesn’t. I took an exam in a meeting room at work with huge TVs on the wall… they made me show them the TVs were “unplugged”, so I just unplugged some random thing from the wall and they were happy.

The TVs are hardwired, it’d be trivial to have an accomplice show answers or whatever on them.

Kernel rootkits are going to be redundant pretty soon.

There are cheats out there that use video captured by capture cards as input for an AI on a separate computer to actually play the game like a human would. Once that becomes widespread there is no way to stop it, save from banning capture cards entirely.

I don't think it's going to be useful this way for DRM. TPM is useful for verifying your boot chain is secure and validating this to an external party. But locally you can lie to apps all you want. You can emulate the TPM device (https://qemu-project.gitlab.io/qemu/specs/tpm.html) - it can tell you whatever you want. Locally it's as useful as hiding the DRM in a driver. Rising the bar a bit, but you can still work around it.

Your way rapidly turns into "I was shot by a SWAT team for running a program I legally own"

Yea, maybe we shouldn't live in the US, or other authoritarian nations, but few of us have options like that.

Thank you for bringing this to my attention, will check it out after work

Only if only 1% of the population know the risks, teach the other 99% to care. Same with any civic problem