• Artwork@lemmy.world
    link
    fedilink
    English
    arrow-up
    11
    ·
    edit-2
    20 hours ago

    To understand why the requirements keep escalating, follow the arms race. Cheats started in user space, so anti-cheat moved into the kernel to see them. Cheats followed into the kernel, and then below it into hypervisors - so anti-cheat added hypervisor detection and began demanding a verified boot chain. Every time the cheat drops a layer deeper, the anti-cheat has to demand more privilege and more hardware trust to keep watching. That is what TPM 2.0, Secure Boot, remote attestation, IOMMU enforcement, and now forced firmware updates actually are: anti-cheat chasing cheats further down the stack.

    Source

    -–

    Wonderful day!

    I’ve been into the subject a few times already, and just in case, if interested, in short, the TPM is a specific module with its own API in modern motherboards that has inside a key pair known as Endorsement Key (EK) which is a permanent unique identifier burned into the hardware. It’s used to create signed EK certificates.

    To clarify, similar to the asynchronous cryptographic we may see in the general TLS certificates in HTTP traffic ( “green” lock), the TPM , as mentioned, has API to create public keys from its private key inside.

    The private key is burned-in by the manufacturer inside the module, which is also normally protected from physical damage to be self-destruct, by its standard requirements.

    Systems like Denuvo may create and encrypt their own data using the public key, and send it to the TPM to decrypt, verify, and therefore identify the hardware on their servers as an identity.

    The Endorsement Key (EK) is an asymmetric key pair consisting of a public and private key stored in a Shielded Location on the TPM.
    The public part of the EK can be read from the TPM while the private part MUST never be exposed.
    The public key of the EK is included in the EK certificate…
    However, the EK provided by the manufacturer MUST be defined as a non-duplicable key.

    Source: Credential_Profile_EK_V2.0_R14_published.pdf

    Though, I believe, the TPM specifications were actually designed by Trusted Computing Group with privacy in mind to prevent the EK from being used as a “global tracking ID”, some vendors or organizations may use it for undefined reason, and hence please do consider the opportunities your operating system and motherboard provide.

    Also, if interested in experimenting, and haven’t yet, in Linux, TPM is accessed via character devices (created by the Kernel module), and normally support different operations to read/write to, and located at /dev/tpm*, though these devices’ permissions are set to root only in all the Kernels I’ve seen yet. There are CLI software packages as tpm2-tools for the protocol.

    • snugglesthefalse@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      3
      ·
      3 hours ago

      So I actually disabled TPM the other week because as it turns out it was preventing my pc from entering sleep a significant portion of the time, I think the GPU wasn’t being allowed to save the framebuffer anywhere because the drivers weren’t proprietary Nvidia ones.