Comment by rob74
3 days ago
Yes. So Microsoft (which manufactures hardware itself and has close ties to other hardware manufacturers) needed to find... other ways to, er, motivate people to buy new hardware anyway. Which brings us back to the blog post we are commenting on.
Not sure Windows as a subscription service is the end goal though. But maybe we should all wish for M$ to do that, maybe that would be what's needed to finally bring about the Year of The Linux Desktop™.
I don't think selling more hardware is the primary motivation. The motivation is ensuring everyone has TPM 2.0 enabled on their device.
This allows Microsoft to protect parts of their software even from the user that owns the hardware it's running on. With TPM enabled you finally give up the last bit of control you had over the software running on your hardware.
Unbreakable DRM for software, such as for your $80 billion game business or your subscription office suite.
As a bonus, it prevents those pesky Windows API compatibility tools like Wine from working if the application is designed to expect signed and trusted Windows.
The mass exodus to Linux gaming is already causing a push back against kernel level anti-cheat.
People who 5 years ago didn't give a hoot about computing outside of running steam games are now actively discussing their favorite Linux distro and giving advice to friends and family about how to make the jump.
18 replies →
it will never be unbreakable, and only needs to be broken once
intel can't even get SGX to work
1 reply →
Maybe instead Microsoft could allow Windows 11 to install and run on machines that are otherwise capable and just flash red screens at you all the time where otherwise ads would show up that constantly nag that "THIS COMPUTER IS FUCKING INSECURE!" or something. It would be equally as annoying but I'm sure running latest Windows 11 but with TPM 1.0 instead of TPM 2.0 will be more secure than running Windows 10 without bug fixes and security patches.
(But my understanding is there were other things like bumping minimum supported instruction sets that happened to mismatch a few CPUs that support the newer instruction sets but were shipped with chipsets using the older TPM)
We want to delete the fallback code paths... You'll just get failures from bitlocker instead of install failures, or windows hello failures, or ...
And clever people found out the way - https://www.tomshardware.com/how-to/bypass-windows-11-tpm-re...
Registry keys and autoattend.xml config keys are not clever people finding a way, it's people using stuff Microsoft put there to do just this for now. I.e. Windows 11 has not been strictly enforcing these yet, they are just "officially" requirements so when they eventually decide to enforce in a newer version (be it an 11 update or some other number) they'll then be able to say "well it's really been an official requirement for many years now, and over 99% of Windows 11 installs which has been the only supported OS for a while now are working that way" at that time. If they just went straight from Windows 10 to strictly enforced Windows 11 options it'd've been harder to defend.
Windows 12 will close the loophole: your CPU will require a signed code path from boot down to application level code. No option to disable Secure Boot or install your own keys. But there needs to be an installed base of secure hardware for this to happen, hence the TPM 2.0 requirements for Windows 11.
1 reply →
You're missing the point, the TPM 2.0 requirement is there to drive adoption, not to actually prevent you from installing Windows 11.
Hardware key storage is a low level security primitive. Both Android and iOS have mandated it for far longer. It's a low level security primitive that enables a lot of scenarios, not just DRM.
For example - it's not possible to protect SSH keys from malware that achieves root without hardware storage. Only hardware storage can offer the "Unplug It" guarantee - that unplugging a compromised machine ends the compromise.
9front with factotum tells a different story.
If you want to protect keys you get a yubikey or something like that.
2 replies →
Ah yes Android and iOS, they have truly become bastions of user freedom since mandating secure enclaves. That really puts my worries to rest. /s
3 replies →
> With TPM enabled you finally give up the last bit of control you had over the software running on your hardware.
The overwhelming majority of users never had any kind of control over the software running on their hardware, because they don’t know (and don’t want to know) how the magical thinking machine works. These people will benefit from a secure subsystem that the OS can entrust with private key material. I absolutely see your point, but this will improve the overall security of most people.
> The overwhelming majority of users never had any kind of control
Uninterested is vastly different than unable, especially when that majority is still latently "able" to use some software that a knowledgeable-minority creates to Help Do The Thing.
The corporate goal is to block anyone else from providing users that control if/when the situation becomes intolerable enough for the majority to desire it.
Most people don't move away from their state of residence either, but we should be very concerned if someone floats a law stating that you are not permitted to leave without prior approval.
> motivate people to buy new hardware
Open source drivers, and a sense that Linux support will forever be top priority, would be a motivator for me. Most of my tech spend has been with Valve in the past few years. I'd love if there was another company I actually enjoy giving my money to.
May I suggest Framework (https://frame.work/linux).
>finally bring about the Year of The Linux Desktop™.
Do we actually want that?
If Linux ever reached mass adoption, big tech companies would inevitably find a way to ruin it
Governments around the world are finding ways of doing that well before big tech will get to it.
This big push for Age/ID verification & "trusted" operating systems is going to ruin what's left of free (as in freedom), general purpose computing. Governments are getting frothy at the mouth for every device to have remote attestation like google play protect/whatever iOS does.
> So Microsoft which manufactures hardware itself
The only computer lineup MS ever sold directly, to my knowledge, were the Surface things - an absolute niche market.
> So Microsoft (which manufactures hardware itself and has close ties to other hardware manufacturers)
You mean the Microsoft vacuum cleaner ? /s
They mouse is actually a good piece of hardware... as long as you don't make the mistake to plug it in Windows for it to install a driver.