undefined | Better HN

0 pointsddalex4y ago0 comments

> There's nothing to stop you from booting into another OS and deleting the files implementing the harmful functionality. If there are checks for the presence of these files in other parts of the OS, you can remove them

Encrypted disks with TPM-stored keys will certainly prevent unauthorised modification to a filesystem

> hardware allows booting arbitrary code

And this particular cat is already out of the bag with Win 11 REQUIRING TPM support with verified boot.

The war against general-purpose computing is in the final stages, and the garden-keepers have already won for almost everything that matters. Yes, you can still source open hardware and they will not fight against technical elites - a minority - but for the vast majority of users, it's over because they LIKE the closed apps holding data hostage.

0 comments

grishka4y ago

So this might be a dumb question, but what's there to prevent someone emulating a TPM? What's there to prevent someone nop'ing out the code that implements the TPM functionality in Windows? Where does the root of trust (or, rather, distrust) come from?

marcosdumay4y ago

The TPM chip has a builtin key that you, as the device owner is not allowed to read. That key is certified by the manufacturer.

If any manufacturer starts selling chips where you can read the key, it will be disallowed by Microsoft.

dane-pgp4y ago

So control over all the computers in a country comes down to just a few keys held by "approved" manufacturers; or rather a single key, held by the government, which signs the list of approved manufacturer keys.

Then all they need to do is require that ISPs only allow packets to be sent by computers that have passed a Measured/Trusted Boot check, and suddenly all online activity is restricted to "approved" computers, running code from "approved" app stores.

"One Ring to rule them all, One Ring to find them, One Ring to bring them all and in the darkness bind them."

1 more reply

grishka4y ago

So okay, you again assume that software is immutable. But Windows has to store these trusted keys somewhere. What if I emulate the TPM with a key I generated myself, and patch Windows to trust that key?

2 more replies

userbinator4y ago

What's there to prevent someone nop'ing out the code that implements the TPM functionality in Windows?

Nothing absolute, mainly a long series of annoying hurdles - including the constant barrage of updates.

j / k navigate · click thread line to collapse

0 pointsddalex4y ago0 comments

Encrypted disks with TPM-stored keys will certainly prevent unauthorised modification to a filesystem

> hardware allows booting arbitrary code

And this particular cat is already out of the bag with Win 11 REQUIRING TPM support with verified boot.

0 comments

grishka4y ago

marcosdumay4y ago

The TPM chip has a builtin key that you, as the device owner is not allowed to read. That key is certified by the manufacturer.

If any manufacturer starts selling chips where you can read the key, it will be disallowed by Microsoft.

dane-pgp4y ago

"One Ring to rule them all, One Ring to find them, One Ring to bring them all and in the darkness bind them."

1 more reply

grishka4y ago

2 more replies

userbinator4y ago

What's there to prevent someone nop'ing out the code that implements the TPM functionality in Windows?

Nothing absolute, mainly a long series of annoying hurdles - including the constant barrage of updates.

j / k navigate · click thread line to collapse