For those worried about Microsoft's Pluton TPM chip: Lenovo won't even switch it on by default in latest ThinkPads PCs coming out this year with Microsoft's integrated Pluton security chip won't be locked down to Windows 11, and users will have the option to turn off the feature completely as well as install, say, Linux as normal, we understand. The first Windows 11 PCs with Pluton built-in were shown at CES earlier this month. Major PC …
It may be minor, but in all honesty it does, and short term (secure boot) the difference was significant.
Now most and probably all major distros can boot with secure boot enabled but for a long time they couldn't, then a few could and even now I couldn't comfortably say all can.
TPM, yeah, no.. I don't think that's ever impacted me.
Even now, Linux Distros tend to require a signing key from Microsoft to boot on EFI.
Secure boot and "trusted computing" was always (IMO) for the purpose of locking down the hardware against "unauthorised modification" by its tenant "owner", and that included making it difficult to install an operating system other than Microsoft Windows (or Apple OSX in the case of Apple hardware, which IIRC was first to adopt TPMs).
And for those users who have modified their PCs, microsoft and chums would like to lock them out of DRM'd software and digital content, including games (where it will be under the guise of anti-cheat measures).
I fully expect Microsoft's recent purchase of Activision/Blizzard to introduce mandatory TPM checks. You can certainly forget about future compatibility with Wine/Proton.
You remember wrong. Apple never made use of TPMs, ever (macOS doesn't even know what to do with a TPM).
And when Apple eventually came out with its own security processor for Macs, TPMs have already been common in business PCs and workstations for several years.
I guess you were not there? It did. Oh boy, the time wasted.
Nowadays it works, as far as I can tell, and I have not really been bothered by it for a while. However,the headline of the last paragraph sort of sums up the concerns: it is apparently possible for the manufacturer to have this on by default with no way to disable it.
I'm also pretty sure it will play a role for DRM[0] and media playback. When do people learn that they do impact honest customers with that stuff? I know one could once totally get relatively recent movie releases in (for that time, it was decades ago) ok quality[1], or to get games with removed copy protection (viruses included...), and I very much doubt the situation has changed since [x], and do people remember the hardware hack for the PS1? DRM cannot win over crackers and pirates, history has shown that. It is just a way to annoy paying customers[w].
[0] anybody realised that the new Intel CPUs apparently cannot be used to play back high res BlueRay discs? The chip component is missing, as far as I understand. Since I own no BlueRay discs it does not impact me (I'm still stuck on DVDs...)
[1] at that time films were released in the US months before they came to Europe, so some friends organised them, we watched them, and then went to see them on the big screen, which was more fun
[x] there were cracked games for the C64 already, and that was over three decades ago!
[w] like the "don't copy this movie" trailer on DVDs - I doubt anybody who is determined to copy the disc is deterred by that, don't get me stated on that unskippable carp! People who watche ripped DVDs DO NOT SEE THAT ONE!
Still need to disable it if you want to run Nvidia drivers on Fedora and any other linux taking an akmod approach, as the driver module can't be loaded otherwise. Fun. And the begging that was required to get MS to allow linux to be signed in the first place. Remind me again why MS the arbiter of what can run on PC hardware?
No one in the tech indistry is prioritizing individual users or ease of maintenance over their corporate agenda.
An example:
I have a Atom based tablet with hdmi output. That tablet has NEVER been able to output to ANY external display.
Why ? hdcp. There's a signal coming out, but it doesn't get displayed.
Which layer of the Stack is at fault ? Can't tell ! Is this behaviour within spec ?
There is limited visibility into the end to end architiecture, and no troubleshooting capability. Each of Intel, Samsung, Microsoft, and LG operate in their own silo and just assume all the other layers are doing their job.
Now how does Pluton actually work ?
Does anyone have public specs ? So far it seems to be "trade secret" between MS & the equipment OEMs.
As RUFUS is open source/use open source components it had to suggest disabling secure boot to boot Windows 10 ISO. People flamed author of open source/free software since it is "disabling secure something".
Reading PR response is one thing, reading manufacturers error messages is another https://www.asus.com/support/FAQ/1044664/
It is called: Microsoft Secure Boot
Quote
" Pluton is more of a building block to address the long-standing problem of securing PCs from bad actors."
Securing your PC from m$ should be the first step in that. especially since
Quote
"Microsoft has said Pluton provides "chip to cloud" security, with firmware updates coming through Windows Update."
Which will mean theres a way to run updates on the security thing from windows.......
Predicting it will end in tears around the same time Microsoft's Windows Update process falls victim to SolarWinds-style supply chain attack. That's already a nightmare scenario but imagine if you can quietly control a single well documented CPU firmware interface on 75% of desktop PCs. Do you brick them all, or something more elaborate? Really tough call.
The tears will probably start flowing when Pluton determines a legitimate Windows Security Update or one of the key files within it, is bad...
So expect at some point in the future to have to disable Pluton so as to enable either system update or recovery from a Pluton borked update.
"Yes, because that never goes wrong, does it?"
Which firmware updates through WU have gone wrong?
"So this thing can be quietly updated in the background with the OS running."
The other option would be to run broken firmware if a vulnerability or a show-stopper bug was found. The masses (which we both don't represent) never bother with any updates. They'd gladly use any unpatched device as long as it works.
Are they going to do the updates in secrecy you say?
How can Pluton, a hardware root of trust, protect against hardware shortcomings thar result in information leakage from branch prediction, or a race condition that discloses protected memory contents, either of which can be exploited from unprivileged code?
[Yes, I know: if Pluton is used to allow only approved and signed applications to run, as on iOS. But Microsoft has never managed to retrofit that model into Windows.]
No, what we (and Microsoft) means is: tightly coupling the coprocessor to the CPU cores within the same package makes it harder for someone to sniff the communications.
It might be possible to do that with a side-channel attack, but really it's about stopping physical bus snooping.
C.
Can Microsoft turn it on via a software update? Can malware that affects UEFI (which we've already got several examples of) able to turn it on? Or perhaps worse for those who depend it on for system security, off?
If it can be turned on and off, it makes a lot more sense that it be controlled via a jumper or similar hardware switch, not a UEFI setting.
Malware that can turn it on would be able to make itself permanently resident so even a complete wipe and reinstall of the OS would not eliminate it. That's the holy grail for malware.
This is already being done via infecting the UEFI itself, a security processor is even lower level so assuming it has some storage of its own that malware could write to (like a small piece of the on-board firmware flash) even a reflash of the UEFI along with the reinstall wouldn't be good enough to get rid of the malware!
Unanswered?
Really?
Can Microsoft turn it on via a software update?
Can malware that affects UEFI ... ...turn it on?
Or perhaps worse ... ... off?
Hmm ...
Does salt taste salty?
... makes a lot more sense that it be controlled via a jumper ...
Exactly the point I was attempting to make.
But you got the idea.
O.
That is basically what I was planning to post. I have both a MacBook Pro and a Linux machine for when windows become unusable. Unusable is when my Windows 7 machine becomes too hard to keep going.
I use both Linux and the laptop on a regular basis. They both have their own functions and I trust them both much more than Microsoft anything.
Microsoft really needs to clean up its own software act before forcing their third party hardware "security" on everyone else.
PC makers can choose to ship computers with Pluton turned off, and the technology does not verify the signature of bootloaders, Microsoft PR said. The security processor can be configured to act as a TPM, or used in a non-TPM scenario, or disabled.
--
So does that mean Pluton, when turned off, does not act as TPM 2.0 for other OSes which may use TPM 2.0?
Or does it mean that your got Pluton mode, TPM 2.0 mode, or disabled totally?
You know how currently, to get the best price on OEM Windows licenses, manufacturers have to buy a license per shipped machine, irrespective of whether Windows is actually installed?
Well, I guess the next move is that the price per-box now depends on if a) Pluton is on by default and b) disabling Pluton in the BIOS is prevented. The price will be less in that case.
So, nice cheap laptops will have Pluton on and locked, so no Linux. Which means that old laptops will become landfill, instead of being upcycled with Linux.
Remember, upcycling is good for the environment, but bad for business.
be afraid. Be VERY afraid of MS bringing 'help' to their open-source environments. Frog-boiling pan is already on, 'helpful' 'security' mode on. Fortunately, most folk in open-source environments happen to have a built-in, hardware-level suspicion of MS...
Quick answer for you: How about Never ?
There is / will be no such market opportunity. At least that's what Microsoft decided.
Let's imagine for a second that PC manufacturers will put aside a small batch of computers and sell them without all this security crap but with same specs. Now what do you think their price should be ? If they sell them at a higher price, not many people will buy them. If they will sell them at a lower price, they will lose money. As you can see not much chance for profit here. In both cases they risk upsetting Microsoft and you certainly don't want that. So they take the middle way: offer the possibility to disable that crap for as long as Microsoft will allow it. I know, in the long term there will be no escape from Microsoft appropriating your PC (here P is for Personal).
For corporate computers it doesn't matter at all and I don't care either because they pay me to use Windows.
"Pluton is designed for Windows, and using it with Linux "is currently an unsupported scenario," a Microsoft spokesperson told The Register."
Trust me, IMHO, Pluton is a DRM extension that aims at nothing else but to lock out every OS but Windows 11. Again, IMHO, the only Linux that will work on Pluton machines will be the Linux embedded in Win 11. Suppose you have plans to use a dual-boot scenario. Pluton must be turned on to get 11 to load, but a Linux distro may vomit unless Pluton is turned off. Trust me again: Unless MS rescinds it's decision to make all my home desktops and laptops obsolete, when 10 goes out of support, I'm going out the door, to Linux Mint. or Linux Zorin.
If I had even a nano-second of belief that this mess would stop even -some- of the hacks and hijacks and ransom-ware and spyware and malware and identity theft and all the rest of it, I would scrap my multiple thousands of dollars of HW and acquiesce. But I don't have that belief. IMHO, It will take the evil-doers and government bad actors that said nano-second to jump over all of it. Make TMP/Pluton optional for 11, or MS is gone from my life. They're history, they're in the archives, they're in the rear-view mirror. RIP.
It's been done:
https://en.wikipedia.org/wiki/Forklift_Driver_Klaus_%E2%80%93_The_First_Day_on_the_Job
It's very funny and very messy
https://www.facebook.com/watch/?v=525452031608114 - apologies for the FB link bit it's the only online copy I know of
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
