Fed-up Torvalds suggests disabling AMD’s 'stupid' performance-killing fTPM RNG

TPM is basically never for your benefit. It's becoming a requirement because Microsoft is going to one day say "you can only run apps installed from the Windows Store, because everything else is insecure" and lock down the software market. Valve knows this which is why they're going so hard on the Steam Deck and Linux.

[This comment has been deleted by an automated system]
- This is why I keep my initrd tattooed as a barcode on my testicles.
- I don't know why I keep hearing of security measures to stop someone sleuthing into bootloaders.
  Am I the only person using Linux who isn't James Bond?
- TPM bad, put your secrets on a proper encryption peripheral, like a smartcard running javacardOS
  TPM will turn into cpu-bound DRM, the more you use it, the more this cancer will grow
- Today I learned that I actually set up secure boot properly. Neat!
- Trusting some obscure hardware might be a bad idea then.
- Why do you need full disk encryption in your day to day life? Are you a secret agent? I feel like that would give you our though.
  It's not a matter that I would have nothing to hide, this defense is stupid. It's a matter that you should use a security adapted to your need, because the cost doesn't offset the benefit otherwise. And with disk encryption you will far more often be sorry than happy if you're a normal person.
https://hothardware.com/news/steam-deck-tpm-support-install-windows-11
I mean I generally agree with you, but the SteamDeck runs on an AMD processor with a fTPM that Valve slowly added support for.
- It seems unlikely Valve will ever make Windows the primary OS for their devices. And they'd lose a lot of user support if they ever required the TPM for their own software, so hopefully they wouldn't risk it.
Support for old software is now the only reason to use windows.
- I'm a big fan of Linux, but I can't believe you really think this.
We use the TPM pretty extensively with no Windows in the environment.
- But with a reason, I'm sure. There's no reason for the everyday consumer to need one, other than Microsoft wanting more control.
You do realize that he is talking about a RNG gen and not the TPM?
- It is talking about the RNG built into the fTPM.
And now Imagine Linux had actually more market share on the Desktop. But for that, Linux needs at least a little more software support to be reliable for other people. And that software is usually not open source. Maybe with Flatpak, it will finally get somewhere in that regard, if there's enough interest from people.
- its not about the software support.
  its because people are lazy to learn. most people dont even know that an OS can be different.
  for them windows is defacto THE PC.
- Most people are unable to administrate their own systems, therefore GNU/Linux--an operating system built on empowering developers and administrators--is basically unimaginable.
  Microsoft and Apple have co-opted the admin duties for users, and that's why people use their operating systems. It spares them from the disaster we all saw and experienced in the Window XP days--but that comes at a price.
  It's not software support, it's not anythign to do with Linux. It's a computer illiteracy problem.
  Android could, in some respects, be considered linux's biggest success story among regular users and that's because Google co-opts admin duties.
TPM is pretty important in any modern OS.
Sure you don’t need it. But it’s not 2013. It should be standard along with FDE

Non-AMP link: https://www.theregister.com/2023/07/31/linus_torvalds_ftpm/

Whoops. Thanks. I corrected the URL in the post.
- The wonders of modern technology!
Man, I'm glad Sync for Lemmy launched today, I really missed the automatic amp removal from links.

I always just kill my TPM chip. It's so obvious tpm will be used in the future for application offline DRM. They will executed encrypted operations under the TPM veil and decompilers will become unusable.

How do you kill your TPM chip?
- Level 1, turn off in bios
  Level 2, desolder from motherboard
  Level 3, remove cpu pins related to tpm
  Level 4, decap cpu, laser off tpm bus or blocks
- Disable it in the bios
Just disabled it in BIOS/UEFI. Should I disable security device support too, or doesn't it matter when fTPM is disabled?
- Or depends what they mean by security service support. Presumably some kind of external (usb ?) device ?

I love how Torvalds always calls it like he sees it.

insert nvidia middle finger gif here
- Inserted

Would love this. I'm still getting the ftpm stutters and there's no way to disable it in my motherboards bios.

Wow I'm surprised you can't disable it. I can disable it on my desktop BIOS (Gigabyte X570S Pro AX) and my work laptop BIOS (Dell G15).
- You use a Dell G15 for work?
I didn't know this was a thing, it explains so much.

Based linus. Kill it, it's pointless

I've had a weird system-wide stutter for months and the usual googling and troubleshooting didn't help.. omg. This might be it. Thank you Linus and thank you op.

I had it on my Windows 11 PC for a long time. I use this PC for music production and it was infuriating - the sound would just cut out intermittently like the computer couldn't keep up. I tried lots of things, including an expensive CPU upgrade. In the end Asus released a new BIOS for the motherboard to address this AMD stutter, and that fixed it.
- Which AGESA version?
The issue is worked around in newer kernel versions. But it's better to just update your BIOS to fix the issue.

the module can cause intermittent stuttering, depending on which Ryzen processor you're using. It appeared when the fTPM was in use, it would access its flash storage via a serial interface, and when doing so, held up activity by the rest of the system.

Could this be why I get stuttering in games after enabling TPM installing windows 11?

"Maybe use it for the boot-time 'gather entropy from different sources,' but clearly it should not be used at runtime."

Good idea. Ask it during boot/insmod for some hardware-random bits to seed Linux's usual software-only CSPRNG, then just use that.

And even that might not be a great idea. I wouldn't be surprised if the fTPM RNG is subtly not-entirely-random, at some alphabet agency's behest. I remember there being a controversy over rdrand for this reason…

The fix with any possible issues with rdrand is the same here. When entropy is gathered from many sources including hardware instructions, any nefarious plant in the chip is drowned out in a sea of noise.
- I'm no cryptographer, but that seems like an awfully dangerous assumption.
Well, it's an fTPM, aka software, and AFAIK, no software can truly have a random RNG.
So it might be very good pseudo random at best.
- It could be only mostly firmware, with a hardware RNG.
  If not, and it uses a CSPRNG, then I don't see much point in using it at all. Linux already has its own CSPRNG.

Yup. I've been wondering if that was the thing that's made the v6.4 kernels so unstable on Ryzen machines.

Relevant:

😂😂😂

good thing my Ryzen 1000 series motherboard doesn't even have TPM....I need to upgrade lool

What is that needle with a ball stuck onto it? In the photograph. Someone please help.

Microphone from a headset.

I agree. If it doesn't work, disable it until it's fixed

Oh I disabled that a while ago because their hardware random number generator always returned 0xfffff...

Honesty, hardware random number generation seems sketchy. Something you'd expect government backdoors to be in.