Ubiquity / LVM / TPM

nurmagoz · October 31, 2024, 9:27pm

TPM 1.2 is flawed, deprecated, thus no machine with this type of TPM considered under the radar of “yes i have TPM on my hardware”:

https://crocs.fi.muni.cz/public/papers/rsa_ccs17

Mandatory of usage of password/usbkey…etc for TPM: (the no password thing is BS)

gist.github.com

https://gist.github.com/osy/45e612345376a65c56d0678834535166#what-does-tpm-protect

tpm-rant.md

TPM provides zero practical security
====================================

TPM (Trusted Platform Module) is as useful for preventing real attackers as the TSA is at preventing real terrorists. The architecture is fundamentally flawed and most existing implementations are completely broken. I thought this argument was settled decades ago[[1]](https://en.wikipedia.org/wiki/Trusted_Computing#Criticism) when "trusted computing" was introduced mostly as a way to provide DRM and ownership capabilities to organizations. It has largely failed to impact the consumer market when it was introduced back in the early 2000s. However, recently there seems to be a movement by certain parties to reintroduce this failed product back to the market. Microsoft argues that in order to use Windows 11, you need TPM 2.0 compatible hardware because[[2]](https://blogs.windows.com/windows-insider/2021/08/27/update-on-windows-11-minimum-system-requirements-and-the-pc-health-check-app/):

> The Trusted Platform Module(TPM) requirement enables Windows 11 to be a true Passwordless operating system, addressing phishing and other password-based attacks that are easier for attackers to execute when the TPM is not present.

Google is trying to force the ideas of "trusted computing" to web browsers[[3]](https://github.com/RupertBenWiser/Web-Environment-Integrity/blob/main/explainer.md) which although does not mention TPM explicitly, describes a design that would fit well into it.

Even Canonical is jumping on the bandwagon by bringing TPM based full-disk-encryption to Ubuntu[[4]](https://ubuntu.com/blog/tpm-backed-full-disk-encryption-is-coming-to-ubuntu) and claims it "eliminates the need for users to manually enter passphrases during boot" which is vacuously true (you also don't need to enter a passphrase if you disable it altogether but that doesn't mean it's any secure) and "eliminate the attacker’s ability to perform offline brute-force attacks against the passphrase" which is just plain false (you can brute force at a much slower speed).

This file has been truncated. show original

Yet TPM must be implemented correctly otherwise will be useless (yeah trusting blindly whoever made it, until an open source hardware for it available)

https://support.lenovo.com/us/en/product_security/ps500550-nuvoton-tpm-denial-of-service-vulnerability