TPMs can be nice if the end-user has the ability to program the keys into them. For example I want to be able to sign the exact version of the OS/software I run with my own key. Unfortunately the BIOS doesn't always let you add new SecureBoot keys to the TPM.
This would be another reason to do everything through VMs, as you can add a virtual TPM to the VM that you'd be able to back up and copy to a new physical system.
They rigged it so that the efi bios can only have one root certificate so only one organization has to sign all the keys. So you can only securely dual boot Windows and Linux if Microsoft signed both of the bootloaders.
So if you don't want to be under MS's thumb you can never use Windows and you're going to have to build your own linux because the major distros are signed by Microsoft.
Basically TPM should be making your system more secure, but in reality it's taking away control over your own computer.
OEMs sometimes have the ability to change the root certificate. I know this because at work we were looking into having a signed OS for a regulated/certified product, and we wanted it to be our root certificate instead of microsoft's.
Though it's not true of all motherboards/BIOSes that you can change the root cert. And in general I would say that the proprietary nature of BIOSes today is becoming as big an issue as the proprietary nature of operating systems 30 years ago, and we probably need to start exerting more pressure on hardware vendors to support coreboot or TianoCore or whatever other open source BIOS is popular.
TPMs can be nice if the end-user has the ability to program the keys into them. For example I want to be able to sign the exact version of the OS/software I run with my own key. Unfortunately the BIOS doesn't always let you add new SecureBoot keys to the TPM.
This would be another reason to do everything through VMs, as you can add a virtual TPM to the VM that you'd be able to back up and copy to a new physical system.
The keys still must be signed by Microsoft.
They rigged it so that the efi bios can only have one root certificate so only one organization has to sign all the keys. So you can only securely dual boot Windows and Linux if Microsoft signed both of the bootloaders.
So if you don't want to be under MS's thumb you can never use Windows and you're going to have to build your own linux because the major distros are signed by Microsoft.
Basically TPM should be making your system more secure, but in reality it's taking away control over your own computer.
OEMs sometimes have the ability to change the root certificate. I know this because at work we were looking into having a signed OS for a regulated/certified product, and we wanted it to be our root certificate instead of microsoft's.
Though it's not true of all motherboards/BIOSes that you can change the root cert. And in general I would say that the proprietary nature of BIOSes today is becoming as big an issue as the proprietary nature of operating systems 30 years ago, and we probably need to start exerting more pressure on hardware vendors to support coreboot or TianoCore or whatever other open source BIOS is popular.