Can't say I'm surprised that Matthew Garrett is the one who submitted this patch, considering that he's been involved in pushing ""trusted"" computing poison like this for at least the last decade (and is seemingly one of the only people in the industry that's even paid attention to Pluton's existence, really makes you think), and yet somehow I'm still disappointed; is this going to be a total catastrophe even though he claims he's only working on supporting the TPM implementation and not any of the weird remote attestation crap we still don't really know much about? Probably not. Could this also potentially lead to Pluton eventually being fully supported by the Linux kernel and Microsoft gaining untold amounts of control over an OS that they've already compromised to some extent? Maybe. All I know is that this deserves to be condemned either way and that the sooner Pluton dies off, the better. To be fair, Garrett claimed around a year ago that the disabling mechanisms in AMD's Pluton implementation are "probably good enough", but after the last decade+ of CPU black boxes and countless Microsoft screwups, "probably" is about as reassuring to me as saying that a pack of rabid, hungry wolves staring at you through the window "probably" won't break in and tear your face off while you're asleep tonight.

I remember Dave Weston claiming on Twitter that Pluton would be open sourced and fully supported by Linux sooner or later - was he counting on someone else doing the work for him? :^)

As I understand Pluton is AMD ceding PSP control to Microsoft. So now we have a system that's always running, has low level hardware access, and has firmware/code that is kept secret, and is a common product across different platforms/companies.
Which to me means that it's going to be exploited by the black market.

Which is exactly what happened with Intel's ME engine, and why there are so much concerns put on how to disable as much of it as possible now that we understand much of it.

I don't know the full capabilities of Pluton, but it does feel like a repeat of the ME situation.

Your understanding is wrong. Pluton doesn't replace any of the PSP's functionality, other than there being no need to run an fTPM stack on the PSP because there's already a TPM on-package. The firmware for Pluton is easily available and not encrypted, and I've successfully reverse engineered portions of it. It's not wired directly into the network interface or graphics pipeline, so it's *much* less scary than the ME.

Edit to add: Oh, and also, it doesn't do anything unless something loads firmware into it. By default the Thinkpads that ship with it don't - you need to explicitly enable Pluton.

I'm glad that it's much less scary than ME. Means I shouldn't be too hesitant on getting a Ryzen 6000/7000 APU

Right, for this generation of hardware I really wouldn't worry. It's possible that later generations might change in ways that are user-hostile, but at the moment Pluton can't stop you booting Linux, can't read your data once Linux is running, can't speak to the network without Linux doing so for it, can't see the contents of your screen, and so on.

That's bullshit, my monitor doesn't have HDCP and the only time it's black is when I turn it off.

Come on, stop it people. The conspiracy theories around Pluton are ridiculous. If you don't have a clue and/or specific knowledge about Pluton doing actual mischief, just stop talking. For all we know, it's a TPM 2.0 security processor with improved hardware security.

Well DRM also works with encryption as well so hypothetically speaking it could be using TPM to store the keys in the same way a blu ray player that can play DRM HDMI streams can decrypt the content.

Note I dont know if this is the actual case but it doesn't seem absurd.

LOL, fit for course.

Except the TPM needs to be provisioned before use, a process which resets the keys (except for the EK which is permanently fused into, and is unique for each TPM). It doesn't really make sense for DRM purposes.

The TPM fear-mongering is getting so annoying at this point. They've been here for years and there hasn't been a single instance of it being used for DRM, unless you count access control in enterprises (where the device owner is the company) as DRM. TPMs can be incredibly useful for the actual device owners to secure their devices, and when combined with DRTM like Intel TXT can secure the OS against broken insecure firmware. They are criminally underutilized, IMO, and it's a good thing that they're now going to be baked in more devices. It would of course be even better if the firmware was open source...