that's one datapoint. how about population level statistics? most smokers didn't get lung cancer yet, so should they be afraid more google or lung cancer?
your personal data is still with you. when someone will steal your money, you wouldn't have it anymore

I notice he does not address one of the main concerns with TPM, which is privacy. Once you have a TPM in your computer, now you have an easily accessible serial number for a PC. If I install an application and it can interact with the OS to retrieve the public key for my TPM, then all it has to do is connect the key to my name and I am doxxed for the lifetime of my PC. How is this acceptable?

The very same properties that ensure security for a TPM chip are the ones that result in privacy being impossible. The key is burned into the chip at the factory. I find this prospect of removing any pseudoanonymity from computing to be a worrying trend. And is he serious about data being safer on a Chromebook or Windows PC? From a third party, maybe, but you are just giving it all away to these corporations, and they are more dangerous than any individual person.

TPM has something called sealing, where you can tie the key to specific hardware or software requirement so that it cannot be unwrapped if the hardware or software changes. He describes it here.

You don't need TPM do achieve that, yes using a TPM would give you a more permanent key but for 99% of cases one can properly identify your machine as yours just fine without a TPM.

That kind of attack is not very covert though, don't fall for a nirvana fallacy.

It's always a matter of WHO is going to decrypt your device and steal data there. Secure Boot only protect against attackers that are powerful enough to brute force decrypt your password but not powerful enough to (a) brute force decrypt the actual xxx bit decryption key, or (b) sniff in hardware keylogger to your device or spy camera onto where you use your device, then do the actual steal of your device after seeing the password, or (c) just kidnap you and or your family and beat you into surrender.

Let assume (a) is infeasible. Then what's left is (b) and (c). Now let's take a look at the identity of the attacker. The "brute force decrypt your password" thing can only occur after getting physical access to the device. It also takes time and money. So either what stored in that device worth a lot of money, or the attacker does not care money because he/she come from government sector and they are attacking for political purpose. For attackers from government sector, (b) and (c) is easily doable. Now what's left for Secure Boot to protect is when what stored in the device worth a lot of money. For digital data to worth that much money, it is either (i) you let your browser remember banking password or you let banking apps run password-free, or (ii) you put trade secret or some huge business patent-ready secret into the device and carry it outside your heavily guarded corporation.

I am sure I will do neither (i) or (ii). Nobody should do them either.

Bootloader authentication / encryption still has its place. But the current design put too much dependency onto TPM, which itself become a huge risk factor of data loss when destructed. Take the business secret I mentioned as example. Remember Secure Boot is all about protecting a computer when attacker already have physical access to it? The attacker, if purely for money, don't need to gain access to the data for that purpose. It can also destroy your data to make you lose a lot of money to achieve the same. Your loss equals my win. With TPM and Secure Boot, breaking the TPM chip means the computer data is, by design, ruined forever. Therefore, in a Secure-Boot-protected environment, if one want to protect the offline backups by TPM (else the shiny TPM protection of online data will be sidestepped), there need to be a secondary machine with its own TPM chip to do the backup operation. This secondary machine can't be located in the main operation site but have to placed and run together with the offline backup storage site. Now the business risk of corporate enemies sneak into your server room to do damage reduced to when they sneak into also your offline backup site. But the problem is still there. Before TPM, an offline backup site can be truly offline and easier to protect. Now it has to have its own TPM protected backup machine that goes online periodically to do backup. It become harder to keep the backup site secret. So, TPM is still introducing new risk factor in security against data loss, as a huge stack of backup data now get a single point of failure.

Okay, so the whole point of bootloader authentication by TPM went back to bad government that are bad enough to steal your data in border custom secretly but not bad enough to (1) install rootkit to your phone when it's out of factory, or (2) install hardware keylogger to your laptop, or (3) imprison you until you unlock your phone / laptop in front of them. Maybe most of you guys live in Europe or North America and your government fit that, but I live in Hong Kong. These funny conditions do not fit the Chinese government, not even anywhere close. Choice 3 is so easy. The same also apply to Russia and many other countries. To most of us in this world, the only method of protecting oneself from government attack (if one is paranoid) is to remember important account password (no biometric!) by heart. Don't store them into devices. Don't have any password recovery enabled. Government don't need to see your local data to imprison you forever anyway. Keep information that may put others into danger in foreign server, then prevent the foreign web service account from being confiscated. it is the most one can do.

Here is Richard Stallman's stand against TPM: https://www.gnu.org/philosophy/can-you-trust.en.html He is seeing it a malicious product.

No you can’t. A TPM is the only thing you cannot spoof or change.

AFAIK you can take ownership of the TPM and then change the EK with tpm_createek command. Fingerprinting have gone on for decades long before TPM was a thing and current methods don't need a TPM to achieve high accuracy either, e.g here is an article where using just Browser fingerprinting uniquely identified 74% of desktop users: https://medium.com/slido-dev-blog/we-collected-500-000-browser-fingerprints-here-is-what-we-found-82c319464dc9


And pretend that MS stores a unique generated value using steganography in the registry, stored over multiple other keys. How would you even know. So, no, they don't need a TPM to uniquely identify you, they have plenty of other venues. It does make it easier though so there I do agree with you.

I and II happen frequently both on private and enterprise machines. (c) again fails if the attack have to be covert, even in a Spy vs Spy scenario there are lots of scenarios where not being covert fails the entire mission. Then there is also the most likely scenario that you catch the guy with the laptop, uses torture and coercing, kills his whole family, pet goat and entire village only to find out that he does not have access to the password of the laptop, he is just a courier transporting the laptop between two offices and (c) fails yet again and lets your enemy know that you are actively after them.

In a scenario where my loss of the data is your win then I'm obviously not going to go the TPM route, why are we pretending that there will only be a single way to protect the data/machine?