TPM is basically never for your benefit. It’s becoming a requirement because Microsoft is going to one day say “you can only run apps installed from the Windows Store, because everything else is insecure” and lock down the software market. Valve knows this which is why they’re going so hard on the Steam Deck and Linux.
You’re going to need a TPM or some other security key if you want to come close to the security Bitlocker’s and Apple’s T2 chip provide. TPM+password encryption is the norm on any serious attempts at data protection, for good reason.
It’s already quite hard to get decent encryption on most Linux distros, with GRUB lacking support for modern key derivation techniques for full disk encryption, and several distros still relying on unencrypted boot partitions that anyone can modify the initrd of without any trace.
Secure boot can protect all of these steps without TPM encryption if you bother to set up your own keys, kick out Microsoft’s keys (killing any chance of a successful dual boot), and set up automatic signing of your bootloader and every intermediate step, but that’s more than any common Linux user is willing to go through. For Secure Boot to work well you’ll probably also want some kind of verification that the system didn’t just modify its environment and chainloaded the Linux bootloader and TPMs are the only way to do that on many systems.
“TPM bad” is as bad a take as “Linux bad”. The technology isn’t inherently good or bad, and both good and bad actors can use it to their advantage, just like the Linux kernel is used in portable hacking devices and in firewalls alike. You can make a problem out of the signed firmware and backdoors and such, but unless you’re running a Pentium II or a RISC-V chip that probably runs at the same speeds, you’re stuck with some kind of binary blob of microcode and firmware on any computer anyway; TPMs don’t add or remove anything from that.
This is why I keep my initrd tattooed as a barcode on my testicles.
“Please teabag the web cam to boot.”
There’s two types of users, those who write a detailed precise technical answer to the subject, and then there’s you
deleted by creator
You know, I’ve been thinking about what I want my first tattoo to be for months, you’ve just given me a great idea
Kernel upgrades are very… Painful.
I don’t know why I keep hearing of security measures to stop someone sleuthing into bootloaders.
Am I the only person using Linux who isn’t James Bond?
The thing is, Windows does this out of the box. So does macOS. So do iOS and Android. When you set a PIN on Windows 11 or even add an extra password to your already TPM-encrypted hard drive, you don’t even know you’re getting any of this security. You don’t need to! It just works!
Linux is the only system that doesn’t just make this stuff work out of the box. There are some issues that prevent it from being as easy to use as on other systems (the fact that loading Linux keys into a motherboard take an extra user interaction, for example) but there are solutions to all of these problems if Linux distros were to put some work into it.
There’s absolutely no reason why you should need to use the terminal to configure the TPM, you should just need to tick a box during install that makes the system use better encryption (or disable it if you use the drive in multiple computers). The reason you need to play James bond with layers of encryption and boot configurations is that standard Linux tooling had awful support for using the security hardware that every computer sold the last decade or so already contains.
I’m an engineer with trade secrets on his laptop. I’ve heard of dozens of people getting laptops stolen from their cars that they left for like ten or fifteen minutes.
The chances are slims, but if it happens I’m in deep trouble whether those secrets leak of not. I’m not taking the risk. I’m encrypting my disk.
It’s not like there’s a difference in performance nowadays.
TPM’s not going to help with that situation, though, right? Either you’re typing in your encryption password on boot (in which case you don’t need TPM to keep your password), or you’re not, in which case the thief has your TPM module with the password in it.
From what I understand, TPM is “trusted” because of the fact the secrets it contains are supposed to be safe from an attacker with hardware access.
This is what makes it good at protecting data in case of a stolen laptop. This is also what makes it good at enforcing offline DRM or any kind of system where manufacturers can restrict the kind of software users can run on their hardware.
so you never caught a team of government officials in your living room brute forcing your bootloader at 4am as you got up to use the bathroom, huh. Lucky guy.
Your government doesn’t just hit you with a wrench?
Silly Lemmy user, it’s 4am and I’m on Lemmy
It’s 30% legitimate concern over a non-negligible risk of government overreach, 70% having fun pretending to be James Bond.
deleted by creator
I’m still on the hunt for a desktop Linux distro that has no security features or passwords. My usage for this may not be common but it can’t be rare enough that there are zero options
Ubuntu, no encryption, select boot to desktop by default when the system installs.
Like, really?
Still smashing in passwords left and right
Ah so you want the windows 98 experience, root access by default all the time without passwords or extra prompts.
Maybe setting auto login and sudo without password can be almost enough? https://askubuntu.com/questions/147241/execute-sudo-without-password
I agree that there should be an easy setting to at least allow updates without password. I installed Manjaro for my mom, after a while she complained “there are updates every day and I need to input the password too many times”
TPM bad, put your secrets on a proper encryption peripheral, like a smartcard running javacardOS
TPM will turn into cpu-bound DRM, the more you use it, the more this cancer will grow
Intel literally removed CPU-bound DRM from their recent processors because it wasn’t secure. Besides, the encryption keys for DRM are safely stored deep inside the iGPU anyway. All the TPM does is store a few kilobytes of cryptographic data and record signals sent to it by the OS in a way that the OS can’t alter down the line.
The TPM is literally built to be used as an encryption peripheral. You can use alternatives like Yubikeys as external TPMs for extra security of course, but that doesn’t mean every desktop, laptop, and smartphone needs one.
Your smartcard has the exact same potential to become used as a means for DRM. In standard use cases it’s literally meant to govern access to a computer.
You are only seeing what TPM is now. Not what TPM will become when it become an entire encrypted computing processor capable of executing any code while inspection is impossible.
Imagine denuvo running at ring level -1
We already had SGX, that got killed off because it wasn’t resistent against side channel attacks and because barely anyone cared to use it. We also have TrustZone or some comparable technology on every ARM chip out there.
When Intel dropped SGX for 11th gen and newer processors, Intel CPUs lost the ability to play Ultra HD Blurays. We have had TEE based DRM since 2016 and nobody cared or noticed.
Of course AMD hasn’t stopped including its Secure Processor TEE in its chips, through an embedded ARM core that runs TrustZone code, like on an Android phone. AMD market share probably isn’t big enough for anticheat to require AMD-SP (and I bet it’s too expensive to get code running on there anyway) but I’m sure some platforms are using them because AMD still hasn’t removed the feature yet.
Anticheat runs in our kernels now exactly because there’s a lack of proper hardware authorization. DRM can be a lot less invasive if it can verify the state of the machine without obfuscated kernel drivers. We’re even getting Linux based anticheat kernel modules soon. DRM is at ring 0 and it’s not even a controversial topic among gamers anymore. Running at -1 doesn’t even need a TPM, all that needs is a motherboard manufacturer weird enough to put Denuvo in their firmware.
A TPM doesn’t execute arbitrary code. That would put the secret key material at risk. Furthermore, all it can access is the SPI bus or whatever low speed bus it’s hooked up to, it can’t access your hardware like Intel ME or AMD’s PSP can.
Based on your fears, I think you’re mistaking TPMs (harder to steal Yubikey-like hardware) with trusted execution environments (code running in your CPU that you can’t see or alter).
Yes, it’s right in the name “trusted platform module”. There is no secret that their ambition is to become a space to run code outside the user’s reach and scrutiny.
They start with the most legitimate and innocuous purpose. Once it is adopted and ubiquitous it will not suffer the fate of the other attempts and rotting on the vine.
Then surprise TPM 5.0 become full scale full speed trusted execution environment and it’s too late to do anything about it. Eventually , non trusted processing capability will be phased out and only Intel and signed code will run.
deleted by creator
Today I learned that I actually set up secure boot properly. Neat!
Trusting some obscure hardware might be a bad idea then.
Why do you need full disk encryption in your day to day life? Are you a secret agent? I feel like that would give you our though.
It’s not a matter that I would have nothing to hide, this defense is stupid. It’s a matter that you should use a security adapted to your need, because the cost doesn’t offset the benefit otherwise. And with disk encryption you will far more often be sorry than happy if you’re a normal person.
Full disk encryption is something you really want to have when your computer is lost or stolen.
People are imperfect. People have left laptops full of personal and/or commercially sensitive data on trains or planes, had them stolen from cars and houses etc. Full disc encryption is a defence against data breaches especially for computers that are not bolted down. Or it might be as simple as a person not wanting the embarrassment of their porn stash being found.
https://hothardware.com/news/steam-deck-tpm-support-install-windows-11
I mean I generally agree with you, but the SteamDeck runs on an AMD processor with a fTPM that Valve slowly added support for.
It seems unlikely Valve will ever make Windows the primary OS for their devices. And they’d lose a lot of user support if they ever required the TPM for their own software, so hopefully they wouldn’t risk it.
Why does everybody seem to think that userspace attestation is the only use for the TPM? The primary use is for data to be encrypted at rest but decrypted at boot as long as certain flags aren’t tripped. TPM is great for the security of your data if you know how to set it up.
Valve is never going to require TPM attestation to use Steam, that’s just silly. Anti-cheat companies might, but my suggestion there is to just not play games that bundle malware.
Whatever is touted as the primary use doesn’t matter as much as what anti-user features it enables.
Anti-user features which are enabled by games and programs that were already anti-user before this. Hardly worth getting upset about, nothing has really changed. You already should have been avoiding them, because they were already anti-user.
I like to think that Valve knows better than to try that.
I doubt they would risk it as well, but the point is that it exists on the SteamDeck and can be utilized.
So what’s your point?
TPM is basically never for your benefit. It’s becoming a requirement because Microsoft is going to one day say “you can only run apps installed from the Windows Store, because everything else is insecure” and lock down the software market. Valve knows this which is why they’re going so hard on the Steam Deck and Linux.
This is the comment I was replying to. I was simply pointing out that for a company “going hard” on SteamDeck and Linux, it’s curious that they would spend any amount of effort at all enabling the TPM to allow people to run Windows. I guess my point is I don’t think they’re “going hard” quite as much as the person I responded to thinks.
Also it was just pointing out that this specifically can affect the SteamDeck since they use an AMD processor with AMD fTPM.
They are “going hard” the way I see it. Without Valve doing legwork behind the scenes and collaborating with anticheat developers we wouldn’t even have Apex Legends running on Linux like we’ve had for a year and a half. They’ve been talking about wanting to use Linux as a viable PC gaming platform to escape Microsofts lockdown of their platform since the days of Steam Machines when Windows 8 and the new store app were giving bad signs.
Either way Valve would be silly not to provide a compatible way to use Windows on the Deck. Even though the situation is much better these days, they know very well that a lot of enthusiast PC gamers would be dismissive of the Deck if Windows couldn’t work properly on it and that word of mouth would bring less confidence in the product.
Does EAC work correctly playing Apex Legends under Linux? If it does I’ll download the game tonight.
so what’s your point?
Support for old software is now the only reason to use windows.
I’m a big fan of Linux, but I can’t believe you really think this.
I legitimately have not booted into windows for years.
Sadly, I agree. I’m at the point now where as long as I’m not trying to game I can thrive on Linux. But even then I spend way more time than necessary getting things to work that do so out of the box on Windows. We have a long way to go before legacy apps is the only reason to run it.
Personally I found the time I saved from not having any control over my system has more than made up for tinkering that I have to do to get things running. My laptop would regularly become unusable for 20+ minutes on windows because of disk performance issues, and I as the user had no means to prevent windows from running the service that locked everything up. That along with other times windows just decides your use case is less important have added up to far more time then having to debug a game here and there
Ungh, yeah I used to have that problem with my laptop when I was in college.
I only booted it up for classes unless I had a test coming up I needed to study for or something. Because why the fuck would I not do that - I had a regular computer at home for everything else.
Every couple weeks, that meant it was updating instead of being available for note taking, and usually for the entire hour I needed it. Because apparently setting the updates to run during shutdown wasn’t good enough, they needed to be run on boot, because fuck you that’s why.
Linux is just… hey I should probably update this shit at some point… meh, tomorrow.
Because apparently setting the updates to run during shutdown wasn’t good enough, they needed to be run on boot, because fuck you that’s why.
Oh it also loves to install updates on shut down. So when you need to leave the class room to go home that fucking thing tells you to not cut power because it needs to install shit. Fuck you, I need to catch my bus!
Legit idgaf if you want to be plugged in for an update, if it’s inconvenient I’m unplugging it, fuck you for thinking I won’t, and it’s above 60% battery so it doesn’t matter anyway.
Maybe if my computer wasn’t buying so much avocado toast it could manage resources better.
The people that prefer Windows for gaming are not the people that will have performance issues on an OS basis, their rig is powerful enough to run complex games, the OS based performance loss is negligible in comparison. Hell, I sometimes don’t reboot the work computer for days and it doesn’t freeze at all. The system is on an SSD and there are no hiccups nor disk performance issues. In any case, with current day prices, buying a new m2 stick and new ram is less than 100€ total, and to be honest, I’d rather pay that and be fine for 4-5 years than spend a big part of my free time trying to make witcher 3, baldur’s gate 3, path of exile, tons of steam games and league working perfectly for Linux. It’s just not worth it.
I use WSL for work because coding in a Linux environment is better but I still need access to office tools, because companies work with those tools.
Linux won the servers war, but it still has to do much to win the home/work computer war.
“Long way” won’t be long, because Google 2.0, err, MS’ direction continues to make Win worse over time (cloudify everything, extract more data and strip more rights+control from each user, and gain more money via price-increasing subscription models) while the open source desktop ecosystem around Linux is getting noticeably better for almost every user every ~5 years or so. The era of Windows as a “pure” OS died with W7. Since W10, it’s OS + integrated malware. Start of downfall.
Those things matter to you and me but we’re in the minority. As long as Johnny Gamer and Grandma Facebooker can still do their preferred activities in Windows there’s a close to zero percent chance they’ll put the effort into making the switch.
We use the TPM pretty extensively with no Windows in the environment.
But with a reason, I’m sure. There’s no reason for the everyday consumer to need one, other than Microsoft wanting more control.
Data encryption and decryption without entering a password is a pretty darn good reason.
Sure, but does a grandmother’s Solitaire & Facebook PC really need quick encrypting and decrypting? Anyone not dealing with sensitive info doesn’t need one.
Yes, because they are the least likely to know they are a part of a botnet
How would at-rest encryption make it less likely that your computer joins a botnet, or more likely that you’d notice if it did?
There’s no downside to having it. There’s many downsides to not having it. This seems pretty cut and dry to me.
There’s no downside to having it.
Sure there are. If it gets compromised with malicious code, I have no way of removing it.
I can protect ring 0. I can keep crap out of ring 0. If all else fails, I can nuke everything in ring 0 and boot a fresh OS installation. But I can’t do a single bleeping thing except throw out the whole machine if malware takes over ring -1.
This is already the case with your motherboard firmware, which fTPM is a part of. You are correct in that you have no real way to handle malware in it except throw it away. This doesn’t change in any way if you get rid of TPM.
TPM actually provides some useful components to isolate encryption outside of Ring 0, which is a trust win. But any technology must be weighted against its power to oppress.
And its power to make the system less secure. Isolating things outside ring 0 means malware can isolate itself outside ring 0 as well, and then it’s impossible to detect or remove without throwing out the entire machine.
Which is much, much scarier than anything an ordinary rootkit might do.
yes, the reason is to securely store cryptographic keys. even your own. It comes preloaded with microsoft ones usually, but you’re free to delete them and install your own
…so far.
It’s the way everything is moving. Hardware protected keys can be very useful but it’s a double edged sword. It’s more secure but also allows companies to lock consumers out.
We need rules that say when this tech is used the consumer still gets full control over it. Like what Google does with their Pixel phones and the Titan chip. Not what Apple does.
Like what google does? You mean disallowing people who use a privacy respecting android rom from using their banking apps and such? Soon very possibly banking websites included?
It’s only more secure until someone discovers yet another RCE bug in the firmware, and then you’ve got malware in your machine that’s impossible to detect or remove.
Because it’s secure.
Against you.
the average citizen has nothing to hide therefore deserves no privacy
I think you forgot a /s
I’m sure you’ll be ok sending me your social security number, home address, bank login details, credit card number, a copy of all the files on your hard drive…
I mean, you deserve no privacy right?
You do realize that he is talking about a RNG gen and not the TPM?
It is talking about the RNG built into the fTPM.
And now Imagine Linux had actually more market share on the Desktop. But for that, Linux needs at least a little more software support to be reliable for other people. And that software is usually not open source. Maybe with Flatpak, it will finally get somewhere in that regard, if there’s enough interest from people.
its not about the software support.
its because people are lazy to learn. most people dont even know that an OS can be different.
for them windows is defacto THE PC.
Sorry but that’s just wrong. Enough people simply don’t even consider Linux because their needed software doesn’t work + there’s no equivalent alternative. And my PC/OS is not a hobby or a Ideology. It’s a tool that I use to work with.
Is it really wrong? Do you have numbers? I think the most people claim above is at least plausible. It surely fits my personal experience, but that is of course not worth much.
I would argue that most people use their PC for web browsing, light photo editing and personal office stuff and maybe gaming (at least outside work) and those people are not affected by “the software I need does not work and there is no alternative”.
I am a gamer and I run into “the software doesnt do what I want, and theres no way around it/alternative” very often.
almost always cause I want to run another file in the same proton instance of a game to install a mod or do something else.
Or because something just doesnt work, despite following the instructions and others getting it to work.
Like, Cyberpunk is my most recent example. CET doesnt work, followed the guide, installed the packages the guide said to, still nothing. It doesnt prevent me from running the game, but it certainly stops me from enjoying it the way i want to.
I would argue that most people use their PC for web browsing, light photo editing
Maybe just me but I know nobody who still uses a PC for this things anyway. The vast majority of people use their smartphones or tablets for basic stuff like that. People who still use a PCs or Laptops, usually do more work than that.
You named multiple things with major compromises.
Gaming is fine if you use Steam and the compatibility layer or jump through hoops, and don’t play basically anything online.
The photo editing tools on Linux are dogshit.
Web browsing is fine, but not if you want to stream any content, because no one will serve you anything even medium quality without DRM.
Office stuff can kind of be replaced, but mostly by using the browser versions of the shit people actually use, because the tools to collaborate with others (particularly non-techy people) don’t exist for open source alternatives.
The software available is absolutely a massive limitation.
Gaming is fine unless the game has kernel level anti cheat. Minor compromise.
Photo editing tools are good enough for the needs of normal people. Gimp and Darktable are not dogshit, no compromise.
DRM under Firefox works. Never had a problem with it plus most people don’t even watch on computers. No compromise.
Non techy people mostly not do collaborative projects. Plus registering for any cloud with office and collaboration is easy. Minor compromise.
Basically the entire multiplayer space is locked out. It’s a massive compromise. And every platform that isn’t Steam requires significant manual configuration and still has issues.
No, they’re not good. And they’re not suitable for any normal person because the UX is a dumpster fire.
Nobody with normal tv/movie content gives you comparable quality on Linux.
Yes, normal people do need to collaborate. And no, none of the office options on Linux are capable of functional collaboration for normal people, except Google/microsoft through browser nonsense.
Your first point is web browsing. Even that doesn‘t work properly on a linux desktop lol. Browser performance is abysmal because the browsers lack out of the box support for hardware acceleration. Even if you get it to work it might not work reliably and an update might break it again.
Try using a discord call and open a youtube video in 4k at the same time on a a freshly installed linux desktop. The audio will be choppy and the video will drop frames like crazy. Just moving around windows on your desktop is not nearly as smooth as it is on windows.
You seem to be very misinformed. Browsers do not lack hardware acceleration. Some distributions do not include the necessary packets in their default configuration. Some. And when you get it to work, like in Arch Linux, where almost nothing is installed by default, it works flawlessly for years, never had an update breaking browser hardware acceleration.
I can run 12 4k youtube videos at the same time and route the audio to different channels of my different audio devices AND accept several calls from different webapps and the only thing that is not smooth is your way of discussing things LOL
I‘ve had this issue on several distros and multiple friends have the same issue. Video hardware acceleration in a browser is a mess. This is definitely not only affecting me as there is a significant amount of complaints on forums and reddit.
And there is no way that the average computer user will use arch. And as long as you gotta fiddle around with your system to get even the most basic shit running smoothly like watching a high resolution youtube video and moving around windows on your other screen at the same time linux will stay irrelevant as a desktop os. It‘s still a system for nerds and I kinda feel like that this is okay.
I think it’s more that there’s a perception of things not being compatible with Linux nowadays. A lot of the games that didn’t work 5 years ago now do, and I’m still seeing people complain that games like Halo Infinite don’t work on there when they actually do.
The only things I can think of that aren’t compatible and required for some tasks are Photoshop and professional CAD/CAE software. For >90% of the population Linux should be able to handle everything they need
90% of the population don’t use a PC anymore. Smartphones and Tablets have replaced PCs for the most basic tasks.
For technical people, maybe. For the avg user Windows and Mac are the computer and Linux is that thing nerds talk about sometimes.
Most people dont want an OS to be different. They are happy if it boots up and does what they want to do. It’s not lazy, it’s an active disagreement with the premise.
This is why nobody upgrades to Windows 10 from 7, or to 11 from 10. Security risks and lack of features aside, their OS just works for them.
These things are only a concern to enthusiasts.
It’s also why, as shitty behavior as it is, MS getting aggressive about upgrading to 10/11 is a net good, from a security standpoint.
I am intentionally ignoring the “10/11 is just spyware with an OS bundled in” thing in the above statement.
Linux still has too many issues, for example…
- Fedora doesn’t provide binary drivers even if they exist, you need to get a pluggable wifi usb tool that is supported and install the repositories and configure binary drivers to get wifi working on a huge amount of laptops.
- Ubuntu does provide binary drivers but the configuration tool can just crash by itself a lot of the time and just fail to load the driver.
- Ubuntu’s desktop sometimes just crashes.
- Fedora uses some strange memory compression driver to handle its paging file and this can sometimes just crash the OS entirely by itself.
These are major issues that shouldn’t be issues, they should either have been fixed as a priority for the crashes or have some kind of workaround that doesn’t require owning specific USBs that regular people just won’t have. There’s no reason for the memory compression thing either, it probably doesn’t do that much for performance overall but random hard-locks are a huge negative. Linux is its own worst enemy on the desktop.
Sometimes the issues with WiFi chipsets is not the distro but the manufacturer. Debian for instance now includes non-free firmware on its installation ISO image, but some manufacturers do not allow the distribution (e.g. Broadcom) of firmware, so Debian can’t legally include them. And unfortunately the manufacturers don’t make it easy to “just download the firmware” so you can put it on the USB stick so the installer can see them. (Literally the only issue with putting Debian on my old 2013 Macbook Pro was the Broadcom firmware - but fortunately, having a Debian desktop I could install the firmware downloader there to get the two files the installer needed).
This is not a fault of the Linux distro, but a fault of the hardware manufacturer. Unfortuantely, like the smell of piss in a subway, we all have to deal with Broadcom.
Realistically windows is really good at repairing itself (or just getting it to a state where its usable again, to most users would be ‘repaired’).
Until linux has some sort of system like this, its just not worth the headache to 99% of users. The linux errors aren’t even that descriptive when they happen, and could be cause by like anything.
have you ever head windows errors?
they dont even bother to give anything else than an error code which is applicable to 482885 different roots of errors.
Indeed the repairing functionality works. but yeah. the problem will be solved. linux has moved exceptional towards usability and will continue to do so.
But windows is frustrating and slow spyware, so there is that…
I can’t speak for other distributions, but Pop!_OS has had a “Refresh Install” option for a while now that does exactly this. This hasn’t happened often, but there have been a couple of times when something borked my system to the point of making it no longer boot, and re-running the installer in “Refresh Install” mode got everything back and running within 30 minutes while preserving all of my non-system files; in particular this meant that I didn’t have to re-download my Steam and other locally installed games, which is significant because they are the largest apps on my system.
Timeshift
100% Agree.
It will never be the year of the linux desktop, until linux is easy to use and easy to troubleshoot and fix.
and let me tell you, every minor problem requiring some kind of arcane terminal ritualism in ancient enochian that only veteran sysadmins know, is not, and will never be, easy to use or troubleshoot.
- [package_name] --help
- man [package_name]
There, I just gave you 2 ways to turn that arcane terminal ritualism in ancient enochian that only veteran sysadmins know, into a plain english service manual that any literate human being can use to figure out basically any terminal application ever.
Yeah, I’ve done --help. It doesnt make it simple. and it doenst magically let you figure out how to solve the problem, assuming you even know what package is causing the problem.
I’ve gone through more than enough fixing of more than enough problems as an average, not-sysadmin person. I know how bullshit it is. Just because you are used to it doesnt make it easier for regular people to use.
Microsoft has done a lot of shit wrong, but the one thing they got right is the usability of the OS, how any idiot can be sat infront of a computer and know what they’re doing with less than a day of faffing about, and can easily fix most common problems in a few clicks.
Most people are unable to administrate their own systems, therefore GNU/Linux–an operating system built on empowering developers and administrators–is basically unimaginable.
Microsoft and Apple have co-opted the admin duties for users, and that’s why people use their operating systems. It spares them from the disaster we all saw and experienced in the Window XP days–but that comes at a price.
It’s not software support, it’s not anythign to do with Linux. It’s a computer illiteracy problem.
Android could, in some respects, be considered linux’s biggest success story among regular users and that’s because Google co-opts admin duties.
It spares them from the disaster we all saw and experienced in the Window XP days
What disaster?
Did you ever try using a non-power user’s computer with Windows XP?
Yes, but a long time ago. Remind me?
TPM is pretty important in any modern OS.
Sure you don’t need it. But it’s not 2013. It should be standard along with FDE
Whoops. Thanks. I corrected the URL in the post.
The wonders of modern technology!
Man, I’m glad Sync for Lemmy launched today, I really missed the automatic amp removal from links.
I always just kill my TPM chip. It’s so obvious tpm will be used in the future for application offline DRM. They will executed encrypted operations under the TPM veil and decompilers will become unusable.
How do you kill your TPM chip?
Level 1, turn off in bios
Level 2, desolder from motherboard
Level 3, remove cpu pins related to tpm
Level 4, decap cpu, laser off tpm bus or blocks
Thank you, the best I can do is level 2 (once I learn how to solder)
Level 5, throw computer into a volcano and go live in the woods using no technology more complex than a flint and steel.
Disable it in the bios
Just disabled it in BIOS/UEFI. Should I disable security device support too, or doesn’t it matter when fTPM is disabled?
Or depends what they mean by security service support. Presumably some kind of external (usb ?) device ?
I love how Torvalds always calls it like he sees it.
insert nvidia middle finger gif here
Inserted
Honestly, I go watch this video from time to time whenever I need a lift.
Would love this. I’m still getting the ftpm stutters and there’s no way to disable it in my motherboards bios.
Wow I’m surprised you can’t disable it. I can disable it on my desktop BIOS (Gigabyte X570S Pro AX) and my work laptop BIOS (Dell G15 I think like 5515).
You use a Dell G15 for work?
I do, yeah.
What is it that you do?
I didn’t know this was a thing, it explains so much.
Based linus. Kill it, it’s pointless
I’ve had a weird system-wide stutter for months and the usual googling and troubleshooting didn’t help… omg. This might be it. Thank you Linus and thank you op.
I had it on my Windows 11 PC for a long time. I use this PC for music production and it was infuriating - the sound would just cut out intermittently like the computer couldn’t keep up. I tried lots of things, including an expensive CPU upgrade. In the end Asus released a new BIOS for the motherboard to address this AMD stutter, and that fixed it.
Which AGESA version?
Which AGESA version?
I don’t really know anything about that. Currently HWiNFO64 shows Microcode Update Revision A201025 and SMU Firmware Revision 56.74.0. I don’t know whether those are the numbers you’re asking for, or what they were while it was still having problems.
Thanks for the info! I’ll have to check that against what I’m using.
The issue is worked around in newer kernel versions. But it’s better to just update your BIOS to fix the issue.
the module can cause intermittent stuttering, depending on which Ryzen processor you’re using. It appeared when the fTPM was in use, it would access its flash storage via a serial interface, and when doing so, held up activity by the rest of the system.
“Maybe use it for the boot-time ‘gather entropy from different sources,’ but clearly it should not be used at runtime.”
Good idea. Ask it during boot/
insmod
for some hardware-random bits to seed Linux’s usual software-only CSPRNG, then just use that.And even that might not be a great idea. I wouldn’t be surprised if the fTPM RNG is subtly not-entirely-random, at some alphabet agency’s behest. I remember there being a controversy over
rdrand
for this reason…The fix with any possible issues with rdrand is the same here. When entropy is gathered from many sources including hardware instructions, any nefarious plant in the chip is drowned out in a sea of noise.
Well, it’s an fTPM, aka software, and AFAIK, no software can truly have a random RNG.
So it might be very good pseudo random at best.
It could be only mostly firmware, with a hardware RNG.
If not, and it uses a CSPRNG, then I don’t see much point in using it at all. Linux already has its own CSPRNG.
Yup. I’ve been wondering if that was the thing that’s made the v6.4 kernels so unstable on Ryzen machines.
Relevant:
😂😂😂
What is that needle with a ball stuck onto it? In the photograph. Someone please help.
Microphone from a headset.
I agree. If it doesn’t work, disable it until it’s fixed
Or just disable fTPM alltogether in the bios. Security by obscure hardware is no security at all. Goes for encrypting disks too, they always take some shortcut for performance or price.
Oh I disabled that a while ago because their hardware random number generator always returned 0xfffff…
Honesty, hardware random number generation seems sketchy. Something you’d expect government backdoors to be in.