You can use the TPM to automatically decrypt a LUKS root volume at boot just like you would BitLocker, however your recovery keys aren’t automatically uploaded to a Microsoft account, you must manage them yourself (generally I see this as a benefit but the layman may appreciate Microsoft’s “assistance” here). https://wiki.archlinux.org/title/Trusted_Platform_Module
⚠️ WARNING, what follows is much more my personal speculation on things so absolutely take this with a grain of salt.
The TPM isn’t ever really under the user’s direct control - it’s used by applications that hook into it. On Linux, I anticipate you would be much more protected from the remote attestation aspects of TPM 2.0 phoning out to 3rd party servers for verification because in general that just does not vibe with the FOSS standards and sensibilities. HOWEVER, in my wildest speculations it may still be possible to fall victim to that through proprietary software. Currently things like Microsoft Office, Adobe Photoshop, or Activision’s Call of Duty don’t work under Linux. If Microsoft gets particularly desperate, I wouldn’t put it past them to actually distribute a native Office for Linux package, or work with Adobe or Activision to do likewise for their programs as a baited hook. Any proprietary, closed-source software can still communicate with the exposed TPM for that remote attestation and refuse to run if they find tampered data, pirated files, or other running applications they object to (I don’t know exactly what form it would take but it could be any or all of these). Effectively they maintain control over your system by right of denial; if you want to run their software you play by their rules.
This of course doesn’t matter if you have no desire to run that software. Again, the TPM itself is not directly malicious and as long as you don’t engage with software that would use it maliciously, it’s fine to have it active and enabled within your OS.
The rant is because I’m trying to provide a balanced view of it without coming off as a fearmonger. TPM is certainly not without its uses, but it’s a leash that can be yanked on. Under Windows, you’re fully in Microsoft’s world and they will yank that leash. But given the right leverage and circumstances, that leash can and very well may extend into Linux as well if you allow the software through with it.
Be careful. Use it if you will but remember what it is capable of.
Are we saying here that using Linux + TPM = recommended, using Microsoft + TPM = burn?
Mostly, kind of.
You can use the TPM to automatically decrypt a LUKS root volume at boot just like you would BitLocker, however your recovery keys aren’t automatically uploaded to a Microsoft account, you must manage them yourself (generally I see this as a benefit but the layman may appreciate Microsoft’s “assistance” here). https://wiki.archlinux.org/title/Trusted_Platform_Module
You can also use it for SSH, https://www.ledger.com/blog/ssh-with-tpm
⚠️ WARNING, what follows is much more my personal speculation on things so absolutely take this with a grain of salt.
The TPM isn’t ever really under the user’s direct control - it’s used by applications that hook into it. On Linux, I anticipate you would be much more protected from the remote attestation aspects of TPM 2.0 phoning out to 3rd party servers for verification because in general that just does not vibe with the FOSS standards and sensibilities. HOWEVER, in my wildest speculations it may still be possible to fall victim to that through proprietary software. Currently things like Microsoft Office, Adobe Photoshop, or Activision’s Call of Duty don’t work under Linux. If Microsoft gets particularly desperate, I wouldn’t put it past them to actually distribute a native Office for Linux package, or work with Adobe or Activision to do likewise for their programs as a baited hook. Any proprietary, closed-source software can still communicate with the exposed TPM for that remote attestation and refuse to run if they find tampered data, pirated files, or other running applications they object to (I don’t know exactly what form it would take but it could be any or all of these). Effectively they maintain control over your system by right of denial; if you want to run their software you play by their rules.
This of course doesn’t matter if you have no desire to run that software. Again, the TPM itself is not directly malicious and as long as you don’t engage with software that would use it maliciously, it’s fine to have it active and enabled within your OS.
So, what is the point of the TPM “rant” if it has great use?
Well, I wouldn’t say great, merely useful.
The rant is because I’m trying to provide a balanced view of it without coming off as a fearmonger. TPM is certainly not without its uses, but it’s a leash that can be yanked on. Under Windows, you’re fully in Microsoft’s world and they will yank that leash. But given the right leverage and circumstances, that leash can and very well may extend into Linux as well if you allow the software through with it.
Be careful. Use it if you will but remember what it is capable of.