Do you think streaming platforms and other entities that employ DRM schemes use the TPM in your computer to decrypt stuff? Well, the Free Software Foundation seems to think so, and adds Microsoft’s insistence on requiring a TPM for Windows 11 into the mix, but it turns out that’s simply not true.
I’m going to be honest here and say that I don’t know what Microsoft’s actual motivation for requiring a TPM in Windows 11 is. I’ve been talking about TPM stuff for a long time. My job involves writing a lot of TPM code. I think having a TPM enables a number of worthwhile security features. Given the choice, I’d certainly pick a computer with a TPM. But in terms of whether it’s of sufficient value to lock out Windows 11 on hardware with no TPM that would otherwise be able to run it? I’m not sure that’s a worthwhile tradeoff.
What I can say is that the FSF’s claim is just 100% wrong, and since this seems to be the sole basis of their overall claim about Microsoft’s strategy here, the argument is pretty significantly undermined. I’m not aware of any streaming media platforms making use of TPMs in any way whatsoever. There is hardware DRM that the media companies use to restrict users, but it’s not in the TPM – it’s in the GPU.
↫ Matthew Garrett
A TPM is imply not designed to handle decryption of media streams, and even if they were, they’re far, far too slow and underpowered to decode even a 1080P stream, let alone anything more demanding than that. In reality, DRM schemes like Google’s Widevine, Apple’s Fairplay, and Microsoft’s Playready offer different levels of functionality, both in software and in hardware. The hardware DRM stuff is all done by the GPU, and not by the TPM. By focusing so much on the TPM, Garrett argues, the FSF is failing to see how GPU makers have enabled a ton of hardware DRM without anyone noticing.
Personally, I totally understand why organisations like the Free Software Foundation are focusing on TPMs right now. They’re one of the main reasons why people can’t upgrade to Windows 11, it’s the thing people have heard about, and it’s the thing that’ll soon prevent them from getting security updates for their otherwise perfectly fine machines. I’m not sure the FSF has enough clout these days to make any meaningful media impact, especially in more general, non-tech media, but by choosing the TPM as their focus they’re definitely choosing a viable vector.
Of course, over here in the tech corner, we don’t like it when people are factually inaccurate or twisting and bending the truth, and I’m glad someone as knowledgeable as Garrett stepped up to set the record straight for us tech-focused people, while everyone else can continue to ignore this matter.
It makes sense that TPMs aren’t used for DRM today. Obviously mainstream content providers can’t rely on TPM as long as the majority of legitimate users don’t have a supported machine. And implementing DRM that uses TPM could actually discourage the uptake of TPM. However once TPM becomes mandatory and everyone is expected to have it (windows 10 EOL quickly approaches..) I wouldn’t be surprised if that’s when the DRM will be rolled out. I don’t think we should rule out this future just because it’s not used today.
I agree with mjg59 about the functional gains of TPM not being worth depriving millions of users of an upgrade path. I don’t find microsoft’s PR excuses for doing this very compelling. We shouldn’t rule out that ulterior motives could be at play. The two that immediately come to my mind are 1) forcing consumers to buy more OEM copies using arbitrary TPM requirements to render existing machines obsolete, and 2) handing microsoft more control and using TPM to enforce it.
We won’t know for a while, but we’ll see where this goes.
The most likely reason Windows 11 requires a TPM is to support hardware attestation to allow Microsoft to create their own version of Google Play Integrity to lock down apps to the Windows installation provided by the OEM and disable admin privileges and modding in general. They were planning to do this for decades long before Apple and Google managed to pull it off. The TPM is already currently used by anti-cheat software used for videogames and I expect streaming, banking and government apps to use it as well just like they already do on Android.
Perhaps it can’t handle the decryption of media streams but I see no reason why It can’t be used for the handshake process.