Ever since Microsoft announced the TPM 2.0 requirement for Windows 11, I’ve seen people flip out over it for various reasons. However, based on the reasons given, there seems to be mainly a lot of misconceptions about it. Don’t get me wrong, I’m absolutely not a fan of Windows 11. But from everything that is wrong with it, the TPM 2.0 requirement isn’t one of the issues. So I figured, let’s get into that.
And as usual: reactions can go on this Mastodon post (or just @ me there in general).
What is TPM 2.0?
TPM stands for Trusted Platform Module, and 2.0 is, probably unsurprisingly, standing for version 2.0. So let’s start with what it’s not. Honestly, this is already where the fun starts because quite some people I’ve met seem to think TPM in itself is something new to Windows 11, when in fact, TPM has been around for years. It’s just that before Windows 11 Microsoft allowed the use of TPM 1.2 instead of version 2.0. However, TPM 1.2 isn’t secure by modern standards and anything secured using TPM 1.2 can’t be considered secure. It once was, but as computers got faster, cracking stuff got faster. And if you’re using outdated security standards, your security can be broken in no time. So we need to use modern standards that can protect us from modern attacks (and preferably, future attacks).
TPM itself also has little to do with Microsoft or Windows itself, and can be used on any system (including Linux). It was developed by the Trusted Computing Group, of which yes Microsoft is a member along many others (including AMD, which many people generally do like). While the group has had it’s criticism for sure, purely the logic “Microsoft had some influence” isn’t doing it. By that way of thinking we can also write off the Linux kernel, because Microsoft also contributed to that. Now you might say, but Linux is open source and they can always decline their commits. That’s true. But there have also been regards from outside the Trusted Computing Group looking at TPM. It’s specifications are also taken into an ISO standard. That’s right, the independent organisation that originated in France that might be the most known from standards as the ISO 27001 (for information security processes) and ISO 9001 (for quality assurance processes). We could discuss this point further and even then different outcomes are possible depending on opinions (my main point here is that’s it’s not black & white, not to give an opinion). But we’re kinda getting side-tracked. Either way, point is that TPM isn’t a Windows or Microsoft specific thing.
So what is it? TPM chips are so called “secure cryptoprocessors” (note that I’m not saying it’s secure, because that depends on the exact chip. As I just said TPM1.2 is for example not considered secure anymore. But it’s just what it’s called). Basically the idea is that it’s a dedicated chip to calculate cryptography with some anti-tamper stuff inside so it can ensure integrity to some degree. In that sense, it’s just a piece of hardware all your software can use. Much like how your GPU is quite good at calculating graphical stuff, this little chip is good at calculating cryptographic stuff. And just in case anyone needs to have it clarified, cryptography doesn’t mean stuff like bitcoin. Those coins are often called “crypto” because they use cryptography, but so does basically anything with a password (and quite some stuff that don’t).
One other thing that’s also important to note, is that it’s also nothing brand new or ground breaking. TPM 2.0 came out in 2015. That’s right, that’s 10 years ago as of writing. And as that happened this year: also 10 years before support of Windows 10 stopped.
So, why isn’t TPM a problem?
I’ve heard so much bullshit said about TPM, what it does and how it’s a problem. But in the end, a TPM chip is just a piece of hardware locally in your desktop. It may know about what hardware is on there, but guess what, so does a lot of your other hardware. They are all physically connected. If you’re not freaked out that your motherboard knows what hardware your PC contains, you shouldn’t worry about a TPM chip knowing it either.
In the end, the TPM chip doesn’t do much unless software specifically asks it to do stuff. Any software can do that, unless something at a lower layer blocked it (aka, if your BIOS blocks it your OS can’t access it. And if your OS blocks is, software installed on your OS can’t access it). A TPM chip in and off itself doesn’t track your, it doesn’t send data to Microsoft, it doesn’t block out your hardware, and it doesn’t steal your freedom (and really, all the stories it would is why this post is also tagged with privacy. That nonsense is too rampant). Simply put: much like other processors, it gets a request, does the requested calculating and sends the answer back. And yes, the exact workings of a TPM chip are more complex, but if you’re on the level to discuss that you probably don’t need me to tell you what TPM is and isn’t, or at least have knowledge past the point of this blog post.
Now, software may use the TPM for bad things, for sure. But that’s no difference from software using other hardware for bad things. Do you blame a CPU for processing tracking-related software? Blame a GPU for that crypto mining malware running on your PC? The RAM for loading Windows services in memory that do stuff you don’t want. No!
What about all the e-waste?
Well, it’s not nearly the issue people are making it out to be. Remember when I said it was important to note the age of TPM 2.0? Now we’re getting into the reason it’s important. It’s 10 year old. It’s not something new and flashy that makes a lot of For the past 10 years hardware manufacturers could have integrated TPM 2.0 compatibility in the devices. And if they care anything about delivering a secure device, they should’ve. So, why didn’t they? Well, most modern hardware is in fact compatible or has a slot on the motherboard you could just drop a TPM chip in. And even when it’s neither of those are an option, often TPM 2.0 can be emulated using Intel PTT or AMD fTPM. Sadly, a lot of people seem to miss this possibility. But after those, there is relatively little hardware currently in use that doesn’t support it at all, although some does exist.
But then, a requirement like this is necessary at times. In fact, it also has a positive effect for consumers. Because why are there even still computers being build with such outdated chips? Because manufactures are cheap and know consumers don’t think to ask, so it’s easy to budget on this. Same thing we see in things like Wi-Fi and Bluetooth related hardware, which are often really shit in budget laptops because most consumers don’t know enough to look further than “is there anything at all”. Sadly, while the computer’s speed is something people worry about, it’s security rarely gets that luxury until people are already hacked. But once a big party like Microsoft starts requiring it, they can’t ignore it and stay below those minimums to be cheap.
Much like how you require certain amount of strength of a CPU, it shouldn’t be shamed to require certain amounts of security-related compatibility in this day an age. And if you do run a 10+ year old computer without TPM 2.0 compatibility… Well, you are worrying about not getting security updates for your old machine, while your hardware is already insecure at it’s core. That’s an issue no security update will fix for you! All you could do is try to make your insecure device slightly less insecure, but that doesn’t make it secure. If you really want to (or have to) keep using that old system, you should consider it and treat is as a legacy device. You know how companies and governments run too much shit on old XP machines and software written in Pascal, and how much we hate that? You are now that. Just because it hasn’t collapsed, and it technically still runs, doesn’t mean it should be used.
Okay, but even if it’s not a problem. Why would I want it?
Well, because it’s useful! Or at least, can be. While using TPM has it’s pro’s and cons over using other means to handle cryptographic stuff (which should be considered when configuring your system and software), it can be used for a lot of useful things as well. The most well known might be secure boot. And no, secure boot in and of itself isn’t evil either. Debian has a nice little explanation about this. Indeed, secure boot is supported by Debian, and many other Linux distro’s are support it too.
TPM can also be used for many other things. Any kind of cryptographic algorithm can use it if programmed/configured to do so. You could, for example, let your disk encryption be done by TPM which saves you from typing a password and ensures it doesn’t work when the drive is stolen and read outside of the computer (but this has some downsides too, like possibly making you vulnerable to cold boot attacks). It can also be used for other purposes, like SSH, OpenSSL, saving systemd credentials, and more. As usual, the Arch wiki has some nice page about doing stuff with TPM on Linux.