So, the Trusted Platform Module itself isn't a DRM solution. It's a chip that hangs off the LPC/ISA bus and holds a crypto key generated from boot stage hashes that your BIOS, bootloader, and operating system provide to it. The idea is that all of those hashes together form a key that would change if any stage were tampered with, and that by encrypting things with the key you can prove that those particular things haven't changed.
It's not particularly practical to build a DRM scheme out of a Trusted Platform Module, notably because the key attestation the TPM provides audits a particular combination of boot stages, not a particular piece of hardware. DRM vendors don't care about you updating your firmware, but they do care about videos being locked to a particular authorized piece of hardware. If you had a TPM-based DRM, you'd deauthorize your video downloads by just updating your BIOS, while videos you passed from one person to another on the same OS version would play just fine.
I imagine Pluton is trying to be a competitor to Intel ME or AMD PSP, which are things you can use to isolate software running on shared hardware. For example, Intel ME provides hardware support for Intel Software Guard Extensions, which is used to isolate DRM from the host operating system. AMD has something similar with Secure Encrypted Virtualization, which uses the PSP to set up different memory-encrypted containers for each VM that higher security rings can't access. In this case, locking down PCs from arbitrary code, like an Xbox, isn't really on the menu. What they're looking to do is carve out space in Ring 3 that Ring 0 can't touch.
> It's not particularly practical to build a DRM scheme out of a Trusted Platform Module ... What they're looking to do is carve out space in Ring 3 that Ring 0 can't touch.
Which is precisely what you would want if you were building a DRM scheme - you just aren't being imaginative enough. It's always important to keep in mind that bad actors are typically just as smart and capable as you are.
User hostile practices across the board benefit greatly from the ability to attest to the precise combination of binaries that were booted. Locked down devices are built upon that foundation - no custom ROMs, no jailbreaks, walled garden app stores, and DRM.
Unfortunately, those capabilities are a fundamental building block for securing devices in general. The same technology that can be used by an abusive manufacturer, publisher, or government to secure a device against the user can also be used by the user to secure the device against others. The key difference is in who holds the keys for the root of trust.
(To that end, some modern secure boot implementations manage to get this bit right by allowing you to specify your own set of public keys before locking down the UEFI interface with a password.)
Right, and this is why people are concerned: it puts DRM in a black box that is "untouchable", which is kind of the holy grail of the obfuscation that DRM requires.
But that would also make your device even more uniquely identifiable which is a massive security flaw in my opinion.
edit: I think it is plainly incorrect to brush off fears about DRM deployment and device lock down. This technology was specifically invented for it, there is evidence and direct statements from manufacturers about this.
I thought that specific implementations had issues in the past but that the concept of a TPM in general was fine?
The Intel ME and AMD PSP, on the other hand, are proper nightmares. For that matter, so is any other "security co-processor" that operates as an unauditable black box below ring 0 (presumably this applies to both Apple's and Google's solutions).
To solve chicken and egg problem. In order to enter password, you need to boot full OS (with keyboard and display drivers, for example); but to decrypt OS boot drive you need a password (or more precisely, some key material derived from the password). So a copy of that key material is stored in a TPM, and provided to software only if measured boot goes as usual (i.e. this is not a Linux booting from USB thumbdrive).
It doesn't (it does heavily push you towards it, but you don't need it), you can edit a group policy in order to be able to store the key on a usb drive or to use a passphrase.
It's not particularly practical to build a DRM scheme out of a Trusted Platform Module, notably because the key attestation the TPM provides audits a particular combination of boot stages, not a particular piece of hardware. DRM vendors don't care about you updating your firmware, but they do care about videos being locked to a particular authorized piece of hardware. If you had a TPM-based DRM, you'd deauthorize your video downloads by just updating your BIOS, while videos you passed from one person to another on the same OS version would play just fine.
I imagine Pluton is trying to be a competitor to Intel ME or AMD PSP, which are things you can use to isolate software running on shared hardware. For example, Intel ME provides hardware support for Intel Software Guard Extensions, which is used to isolate DRM from the host operating system. AMD has something similar with Secure Encrypted Virtualization, which uses the PSP to set up different memory-encrypted containers for each VM that higher security rings can't access. In this case, locking down PCs from arbitrary code, like an Xbox, isn't really on the menu. What they're looking to do is carve out space in Ring 3 that Ring 0 can't touch.