In terms of point 1, I have never intended to support Netflix or any other provider of DRM media on my devices. I have never even seen their homepages and don't want to. I do not watch TV and refuse DRM'ed media. They don't need to trust my computer and are never asked to.

2: A cipher implementation is only considered secure if it is secure when ONLY the key is private. As soon as implementation details also have to be private, they become in essence a part of the key that is common to all users, an actual security risk. Any nation-state level attacker can X-ray a TPM, count the zeros and ones and draw the schematic, thus reverse engineer every detail of the implementation.

3: Main plus of a TPM on my box would be use as 1/2 of 2FA disk encryption, with key recovery difficult but not impossible for an attacker. Passphrase is other half, but making the encrypted (w the pasphrase) LUKS key hard to get reduces the number of attackers capable of even beginning an attack. Probably locks out local and state police departments, probably does not lock out FBI and Secret Service, definately does not lock out NSA, but all of those still have to try the dictionary attacks etc, and that comes down to how important you are and how many more important machines they have waiting in line for supercomputer time. A quantum computer kills PGP but does NOT kill symmetrical disk encryption or any other symmetrical cipher, just cuts the effective keyspace in half. This is because factoring large primes is not part of the task.

Downside is a closed TPM could be set by its maker to send that key to a remote attacker, running the number of potential attackers back up, and raising the risk of a one-visit attack (e.g. a single raid) scoring after remote preparation. An Evil Maid is a two visit attack, first visit has to be covert. There's a lot to be said for never having the board connected to any network it can read or write too without a key stored on the encrypted disk, unless networking is only physically plugged in post-boot. That could be worked around,but would require the makers of a malicious TPM or CPU to expect and prepare for use of that defense.

Original answer unapproved:

In terms of point 1, I have never intended to support Netflix or any other provider of DRM media on my devices. I have never even seen their homepages and don't want to.

2: A cipher implementation is only considered secure if it is secure when ONLY the key is private. Any nation-state level attacker can X-ray a TPM, count the zeros and ones and draw the schematic, thus reverse engineer every detail of the implementation.

3: Main plus of a TPM on my box would be use as 1/2 of 2FA disk encryption, with key recovery difficult but not impossible for an attacker. Passphrase is other half

Downside is a closed TPM could be set by its maker to send that key to a remote attacker

I didn't say that such a device exists, just that it would be more secure since you now bypass the problems that you listed with the dual password thing in that the input value cannot be observed by any other means that also creating a new fake USB port that remotely transfers the challenge to the real computer. If this is implemented on the computer, not as software running on the cpu, but in something like the TPM chip talking directly to the USB-port then we have deterministic latency which any wireless networking would skew.

Just for kicks we could also design the dongle and the thing inside the computer to do millions of these filling the 20Gbps bandwidth (or close to), good luck being able to shrink down a 20Gbps wireless device to the size of a USB hub inside a laptop.

Add a pin or password requirement on the dongle and we solve the problem of losing the device and it being stolen in the sleep. But you covered this already. Preventing tampering is of course a problem as it is with every kind of key, so there have to be some kind of tamper proving going on, eg fill it with inert gas and a sensitive pressure sensor, if the pressure changes then clear the nvram, vary the pressure in each device so that you can't just put it inside a box with the same pressure and open it there. But yes the complexity quickly escalates.

I think we can go on all day since this is basically an insolvable problem, all you can do is shift the cost for an adversary enough so that it's cheaper to not attack the system.

There are others in the TPM community yes, I was mostly replying to (which is not an argument that you made specifically) the fear of Pluton which is a MS invention even though they have outsourced the actual creation to the chip makers such as Intel and AMD.

Finding a backdoor inside a TPM would be hard but not for the intended target, I mean the intended target for something like this would be a foreign government or security agency by orders of CIA/NSA and those should have the capability of inspecting TPM chips on commodity hardware. Which is of course why they wouldn't target them in this generic way making the whole idea even less credible.

Also we have other actors like AMD and Intel creating their own security chips and making them TPM compatible so now you have to convince several companies to implement the backdoor and also hope that their thousands of engineers are keeping their mouth shut (completely impossible). Which of course is not to say that some particular manufacturer of a TPM chip goes rouge and decides to implement their own backdoor into their own chip, so of course this is not an argument that there cannot be a TPM chip out there with a backdoor, just that I have a hard time seeing it being done on a wide scale and being the deliberate design by the creators.

In the end I don't think that we really are in disagreement :-)

​Regarding 2. he is not wrong. All that is needed to be kept secret is the internal encryption key of the TPM, not the implementation. So we can have an open design and an open firmware as long as we then have a means to burn a secret key into it. Since that key have to be burned into the chip at production to keep it tamper-resistant there is of course a practical problem for a "do it at home" solution here. But the manufacturers could be way more open with their design and especially their firmware.

I'm not following what you mean by 'write-only storage', which is /dev/null. I don't see how that helps. I think you mean storage in an enclave only accessible by a crypto processor. The (enclaved) storage is for holding keys/certificates, such as public keys, which can be used to confirm that a signature has been produced by the corresponding private key that is held by somebody else. The reason you hold the key in enclaved storage is to prevent a malicious actor from replacing a legitimate public key with a different public key and thereby misleading you into thinking that code signed by the corresponding private key is legitimate. The crypto-processor and key storage still need to be secure.

I think you need to do a bit more background reading regarding TPMs, enclaves, public key cryptography, password verification, key expansion, and how the linux kernel goes about using (long) keys such as where it stores them, how it computes with them, and the concept of memory (page) protection.

As for authenticating things: people don't use encrypted banknotes. On the other hand, they are very interested in assuring that the banknotes they use are authentic.

The same is true for software: in general, you are interested in running the same software as whoever you trust to provide it to you, so you can be sure it has not been maliciously tampered with. You do that by authenticating the software to be the same as the provider's. You are not looking to keep it secret, which is what encrypting it will do.

Now encryption <i>can</i> be used as an anti-tamper mechanism: for someone to tamper with your encrypted software, they would need a decryption key, so for as long as you are sure that your key has not been compromised, you can be sure that your encrypted software has not been tampered with. However, encryption does not tell you if the software is the same as the original. Somebody <i>could</i> have decrypted it, altered it, and re-encrypted it, and you would be none the wiser. This is why you need authentication, to make sure that that has not happened.

That's my opinion, but it could be wrong. If you believe yourself to be sufficiently knowledgeable, that's fine.

Perhaps I am less knowledgeable on this topic than you. Certainly, if your judgement is sound, in which case you can gain nothing more from me. Thank for your comments, and this thread is at an end.

The key point is that since the bootloader, the kernel and the initrd are all public knowledge already so encrypting them give no advantage. They are authenticated not so that customs can check that you have no illegal software hidden but so that you the user an rest assure that you are booting the kernel that you think that you are booting.

Encrypt your root fs with the hardest key on earth and your whole system is still compromised if an attacker can switch out the kernel or the initrd from under your feet. And it doesn't have to be a compromised kernel, it can just be an older one with a known vulnerability that the attacker uses later to gain access to your system.

I don't know of any DRM scheme on a PC that uses any TPM chip for anything, not really sure how it would work either. For that you instead need a Trusted Execution Environment like the Intel SGX or AMD PSP. The TPM chip does not provide a TEE, Pluton might but I have no idea.

That might be true, I only replied to your comment as it was quoted in my reply, if what you wrote there was some out of context reply to Old Grouch in a way that didn't really represent a question or state of fact from your side then I'm sorry if I replied to the wrong thing.

Ok, well can't argue against that. My only grief was that it looked like encryption vs signing, but as long as it's signed, adding encryption of course does nothing bad. There are though a few people out there that believe that encryption will suffice over signing and that was what I reacted to.