stop it before it gets to the children.

which is my snarky way of asking, "exactly which security guarantees does the TPM make and to whom does it make them?" and "does your ad network really need to know how to disable DRM protections?"

[but... thx for pointing this out. I think it's a very bad idea, but interesting to know what people are working on.]

> exactly which security guarantees does the TPM make and to whom does it make them?

I suspect you already know. What the TPM provides is little more than what you get from the trademark and model number off an iPhone. The model number tells you precisely what the hardware is. The trademark proves that it's an Apple phone and model, not someone else's. As for "who does it tell" - the answer is anybody who cares to look.

The analogy breaks down because TPM does a much better job of it than a trademark and model number. There are fake iPhone's out there that fool people. Your bank relies on a TPM's claim your PIN or whatever is stored in Apple iPhone's secure enclave it's an ironclad guarantee. Even more remarkably this assurance can be given remotely without the bank ever being near phone.

As for "does your ad network really need to know how to disable DRM protections?" you are generally in control of whether the bank or ad network gets to access the TPM. Generally it's just a case "it you don't like the idea, don't install the banking app".

As for "stop it before it gets to the children", this child likes the convenience of he gets from giving banks, password managers and whatever the security of knowing they are running on hardware they trust not to leak my creds to random hackers. Sure, it can be used for other things, but shrug - if you don't like that, don't install the app.

I think this would all be possible without a TPM and those instances where my bank needs to verify my device is complete security theatre that negatively affects me and my systems.

My password manager feels quite happy without it, some futile regulation might require my stupid bank to check for TPM, but I do anything to not let it get near a PC.

With some TPM spoofing none of the features can work and the average security researcher can probably quickly confirm this.

TPM might be the wrong medicine if some bots down there even praise it as something advantageous.

TPM (Trusted Platform Module) provides several security guarantees including integrity of the boot process, secure storage, and platform attestation. These guarantees are primarily made to system owners, software vendors, and remote parties to ensure hardware and data security, and system trustworthiness.

As for your second question, an ad network has no legitimate need to know how to disable DRM protections. DRM is essential for protecting content creators' rights and ensuring only authorized users access the content. An ad network's role should be limited to serving and managing ads, not undermining security or intellectual property protections. If an ad network seeks to disable DRM, it's both suspicious and unethical.

but what are the security guarantees? and how are they made to each of the parties listed.

why would a web site want to query a tpm, whose job is to enforce DRM protections?

TPM offers key security guarantees: it ensures the integrity of the boot process, provides secure storage for cryptographic keys and sensitive data, and allows platform attestation to prove system integrity to remote parties. These guarantees benefit system owners by protecting hardware from unauthorized changes, software vendors by securing their software environment, and remote parties by enabling trusted transactions.

TPM isn't just for DRM. It ensures overall system security and trustworthiness. A website might query a TPM to verify a device's security before granting access to sensitive data, but an ad network has no reason to disable DRM. If they try, it's suspicious and unethical.

The TPM-js mentioned is a virtual TPM that shows how TPM works without actually accessing the hardware TPM from a website. It's purely educational.