You, the Problem TPM2 Solves

1. Trust: to Give or to Earn?

Microsoft wants you to believe that you can give trust to TPM2 for better security. TPM2 is made a mandatory prerequisite, not an option for Windows 11. That does not square with how we understand “trust” to work. In truth, TPM2 is not about enhancing the security of the users. It is about solving the problem of the untrustworthy computer users in areas such as Digital Restrictions Management, game anti-cheating, and exam proctoring. All these applications have failed so far because users have total control over their physical properties, the computers. That control allows them to run DRM‑stripping software on video/audio/text files, plugins to cheat in games, and video intercepting software to cheat in the exam, among many possibilities.

To discipline the users against their possible ill wills, such software has to do way more than minding their own businesses. They have to take the highest level of operating system privilege and prevent users from switching to other applications or even running, in the background, any potentially cheating-aiding software such as audio/video recorder. That's why these classes of software all behave exactly like rootkit malware. Microsoft has long been consistent in its complicit approval of Sony's rootkit and its insistence on content protection since the miserable failure that was Vista. With the help of TPM2 and the assurance of mathematics, however, Microsoft can finally enforce it. You have to earn their trust by letting TPM2 remotely attest to Microsoft and other software vendors about who you really are, and “swear” in cryptographic terms that you are not running anything against their software.

2. The biometrics of CPUs

Fingerprints are usernames, not passwords. They facilitate surveillance from governments or corporations over individuals way better than they help individuals protect secrets and privacy. For example, it is encryption passwords (and the underlying mathematics), not fingerprints, that can protect the secrets of a temporarily unconscious or even a deceased person. In general biometrics are suitable for surveillance and not suitable for computer security because of their uniqueness, the difficulty for the owner to forge, and the difficulty for the owner to refuse to reveal. (Think of the gait analysis technology so well developed in China.)

The public portions of the endorsement key (EK), Attestation Identity Key (AIK), and other keys in a TPM2 chip have properties similar to the biometrics of a person. It is unique just like the serial number of the engine in a car, and the manufacturers keep track of all those numbers in their products. With a physically carved serial number, it is easy for the user to share with his friends in a fake report in case the remote corporate lords demand the knowledge or the photo of that number. In the TPM2 situation, however, knowledge of the public keys alone is not sufficient to carry out the attestations. Cryptographic properties ensure that it is impossible for the user to attest without the physical presence of the CPU since the private part of those keys are sealed tight in the chip, protected even (mainly) against the computer owner. This renders the old trick of sharing Netflix password, for example, invalid.

For security experts or computer owners who disapprove of rootkit malware taking control of their computers, virtual machines are indispensable. TPM2 will render VM technologies useless in their fight against those classes of rootkit malware coming from the corporations. The identity under which most VM's attest to the remote lords will necessarily be different from any manufacturer-certified identities and they will most likely be crippled or even outright banned by the Windows OS.

3. The train of prison

Suppose an engineer has to design a luxurious prison made of a train. It is not enough to ensure that each railcar is locked. One also has to ensure that there is no exit in each gangway between adjacent railcars. A DRM-enforcing computer is a luxurious prison made of a train. TPM2 is the locomotive and provides the root of trust, followed by the UEFI firmware, followed by the operating system, possibly followed by one or more levels of virtual machines, and finally followed by the DRM application. In addition, there may be several intervening railcars which represent the various trustworthy device drivers and/or services started by the host and each level of guest operating system.

If the user somehow inserts a virtual machine or service of her own design somewhere along the way, she may then escape from the prison even if all the other railcars are trustworthy. The platform configuration registers PCR in a TPM2 chip are designed in such a curious way as to allow only resetting and extending values but not storing arbitrary values. That's a cryptographic way of ensuring the gangways are sealed tightly.

4. Closing in the Dragnet

If the dragnet is big enough, few fish swimming inside it will feel restricted. If there are several holes on the dragnet, fish may be persuaded that what surrounds them is not a dragnet. If the holes grow smaller slowly enough, hardly any fish will care about it. When the main exit of the dragnet is taken care of, the small holes can be sealed and all fish can finally be trusted to behave inside the dragnet. The following is a list of things likely to happen as TPM2 becomes pervasive. The less controversial measures and those affecting only a small population are more likely to happen earlier.

  • Free firmware such as libreboot is not trusted.
  • VM hypervisors are trusted only if their emulated TPM2 bear certain public keys.
  • Only the Microsoft version, possibly plus a small number of major distributions, of the GNU/Linux operating system are trusted.
  • Applications are trusted only if they come from the Windows Store.
  • Applications are de-listed from the Windows Store if they are found to circumvent DRM, etc.
  • Software protecting user privacy and freedom against Microsoft telemetry and control are de-listed from the Windows Store.
  • Software competing with Microsoft products are de-listed from the Windows store.
  • Ever fewer windows configuration settings remain modifiable if the system is to remain trusted. Container technology might slightly mitigate the problem.

Meanwhile, applications in such areas as DRM, game-anticheating, exam proctoring, and chat message revocation will be among the first to enforce remote attestation. For it is relatively easy for the corporate lords to persuade the population to give up their control of their own physical properties in exchange for the delusion of “fairness” (among the peasants) in these application areas.

In each of the above, Microsoft may leave alone the older versions of the mentioned software/firmware so as to minimize commotion and resistance. Time will take care of the small group of old-school die-hard population. Eventually Microsoft and its corporate partners will have total remote control over computers of the entire population, who will finally earn the lords' trust.

* * * * *

To escape from this dragnet, one can wean oneself from unnecessary cloud computing software starting today. Gabriel Sieben summarizes the situation very well:

Old copy protection systems tried to control what your PC could do, and were always defeated. Remote attestation by itself permits your PC to do almost anything you want, but ensures your PC can't talk to any services requiring attestation if they don't like what your PC is doing or not doing.

Richard M. Stallman's warning about Service as a Software Substitute 10 years ago is refreshingly worth heeding again today. For communicating with friends and colleagues, use a completely decentralized protocol or community-run service. There are, however, some cloud services (e.g. games) that many people find hard to resist. It is therefore important to bring awareness and discussion of this issue to a wider population if we believe that physical property right should never be stolen by the “intellectual property right” propaganda.