Windows 11: TPMs and Digital Sovereignty
This article is an opinion held by a subset of members about the potential plan from Microsoft about their enforcement of a TPM to use Windows 11 and various features. This article will not go into great detail about all the good and bad of a TPM; there will be links at the end for you to continue your research, but it will go into the issues we see with enforcement. If youβre unfamiliar with what a TPM is or its general function we recommend taking a look at these links: What is a TPM?; TPM and Attestation.
As you may or may not have already noticed, many people are wondering about Microsoftβs new mandatory TPM 2.0 hardware requirement for Windows 11. If you look around the press releases, shallow technical documentation, and the myriad of buzzwords like βsecurity,β βdevice health,β βfirmware vulnerabilities,β and βmalware,β you still havenβt received a straightforward answer as to why exactly you need this tech.
Many of you reading this article may have machines around the house or office you built from silicon that isnβt even seven years old. These still play todayβs latest games without hiccup or issue, and unless you let your Grandma or 6-year old nephew on the machine recently, you likely donβt have malware either.
So, why do I suddenly need a TPM 2.0 device on my machine, then you ask? Well, the answer is quite simple. Itβs not about you; itβs about them.
You see, the PC (emphasis on personal here) is in a way the last bastion of digital freedom you have, and that door is slowly closing. You need to only look at highly locked and controlled systems like consoles and phones to see the disparity.
Political affiliations aside, one can take the Wikileaks app removal from both the Apple store and Google play store as an excellent example of what the world looks like when your device controls you, instead of you controlling the device.
How does a TPM on my PC advance this agenda?
Twenty years ago, Microsoft set forth a goal of βtrustedβ computing called Palladium. While this technical goal has slowly but surely crept into Windows over the years, it has laid chiefly dormant because of critical missing infrastructure. This being that until recently, quite a large majority of consumer machines did not have a TPM, which youβll learn later is a critical component to making Palladium work. And while we wonβt deny that Bitlocker is excellent for if your device ever gets stolen, we will remind you that Microsoft always sold this tyranny to look great on the surface (no pun intended here).
When Palladium debuted, it was shot out of orbit by proponents of free and open software and back into hiding it went.
So why is the TPM useful? The TPM (along with suitable firmware) is critical to measuring the state of your device - the boot state, in particular, to attest to a remote party that your machine is in a non-rooted state. Itβs very similar to the Widevine L1 on Android devices; a third-party can then choose whether or not to serve you content. Everything will suddenly revolve around this βtrust factorβ of your PC. Imagine you want to watch your favorite show on Netflix in 4k, but your hardware trust factor is low? Too bad youβll have to settle for the 720p stream. Untrusted devices could be watching in an instance of Linux KVM, and we canβt risk your pirating tools running in the background!
You might think that βItβs okay, though! I can emulate a TPM with KVM; the software already exists!β The unfortunate truth is that itβs not that simple. TPMs have unique keys burned in at manufacture time called Endorsement Keys, and these are unique per TPM. These keys are then cryptographically tied to the vendor who issued them, and as such, not only does a TPM uniquely identify your machine anywhere in the world, but content distributors can pick and choose what TPM vendors they want to trust. Sound familiar to you? Itβs called Digital Rights Management, otherwise known as DRM.
Letβs not forget, Intel initially shipped the Pentium III with a built-in serial number unique per chip. Much the same initial fate as Palladium, it was also shot down by privacy groups, and the feature was subject to removal.
A common misunderstanding
There seems to be a lot misconceptions floating around in social media. In this section weβll highlight one of them:
βI can patch the ISO or download one that removes the requirement.β
You can, sure. Windows and a majority of its components will function fine, similar to if you root your phone. Remember the part earlier, though, about 4k video content? That wonβt be available to you (as an example). Whether it be a game or a movie, a vendor of consumable media decides what users they trust with their content. Unfortunately, without a TPM, you arenβt cutting it.
Youβve probably noticed that the marketing for this requirement is vague and confusing, and thatβs intentional. It doesnβt do much for you, the consumer. However, it does set the stage for the future where Microsoft begins shipping their TPM on your processor. Enter Microsoftβs Pluton. The same technology is present in the Xbox. It would be an absolute dream come true for companies and vendors with special interests to completely own and control your PC to the same degree as a phone or the Xbox.
While the writers of this article will not deny that device attestation can bring excellent security for the standard consumers of the world, we cannot ignore that it opens the door to the restriction of user privacy and freedoms. It also paves the way to have the PC locked into a nice controllable cube for all the citizens to use.
You can see the wood for the trees here. When a company tells you that you need something, and itβs βfor your own good,β and hey, theyβre just on a humanitarian aid mission to save you from yourself, one should be highly skeptical. Microsoft is pushing this hard; we can even see them citing entirely dubious statistics. We took this one from The Verge:
βMicrosoft has been warning for months that firmware attacks are on the rise. βOur Security Signals report found that 83 percent of businesses experienced a firmware attack, and only 29 percent are allocating resources to protect this critical layer,β says Weston.β
If you read into this link, you will find it cites information from Microsoft themselves, called βSecurity Signals,β and by the time youβre done reading it, you forgot how you got there in the first place. Not only is this statistic not factual, but successful firmware attacks are incredibly rare. Did we mention that a TPM isnβt going to protect you from UEFI malware that was planted on the device by a rogue agent at manufacture time? What about dynamic firmware attacks? Did you know that technologies such as Intel Boot Guard that have existed for the better part of a decade defend well against such attacks that might seek to overwrite flash memory?
Takeaway
We are here to remind you that the TPM requirement of Windows 11 furthers the agenda to protect the PC against you, its owner. It is one step closer to the lockdown of the PC. As Microsoft won the secure boot battle a decade ago, which is where Microsoft became the sole owner of the Secure Boot keys, this move also further tightens the screws on the liberties the PC gives us. While it wonβt be evident immediately upon the launch of Windows 11, the pieces are moving together at a much faster pace.
We ask you to do your research in an age of increased restriction of personal freedom, censorship, and endless media propaganda. We strongly encourage you to research Microsoftβs future Pluton chip.
There are links provided below to research for yourself.