You can use `podman-compose --in-pod=1 systemd -a create-unit` and it will create podman-compose@ service, then you can register compose.yml files with `podman-compose systemd -a register` with a $name, after that you can manage those pods based on compose files using podman-compose@$name.service. Works completely rootless too.
There’s an embedded immutable Endorsment Key (EK) sometimes along with public crypto cert (EKCert) signed by manufacturer the TPM can use to prove its authenticity. With the certificate you can detect the QEMU case.
It goes TPM → OS Integrity (dm-/fs-verity) → Browser Attestation (Web Integrity) → Your banking website no longer working on Linux because of "security". It’s Play Integrity for the PC.
Encrypted video is a red herring. The real long game is to also get your "secure" video player to refuse playback if it detects watermark in the pirated video. This patches the analog hole.
If you have attested Windows it can just refuse to download "freeworld" VLC because it can be used for piracy and/or even watching child pornography. Imagine that!
Of course you can use Linux instead but now you have to use the approved distro that also won’t let you run "dangerous" apps.
This is of course slippery slope argument and Microsoft would not be able to force all that right now, but better get started on the foundations. Some future government can then just force them to implement the rest, but by then it will be just a flip of a switch.
"TPM is not DRM" argument seriously lacks imagination.
Google SafetyNet is basically swiss cheese with lots of bypass solutions for custom ROMs.
A TPM may only attest that it has received an expected set of measurements (hashes). As long as discrete TPMs or PCs with unlocked CPUs exist (w/o Boot Guard), one may simply take a TPM and replay "golden" measurements to it. Bypassing this would be trivially easy.
A TPM does not have control over execution on the CPU. It only receives data from the CPU. If you have control over execution on the CPU from the reset vector, you can just replay whatever you want to a TPM and extract secrets that way. That's why TPM backed disk encryption without configuring a PIN is insecure.
Microsoft does not have the same level of control over the entire PC ecosystem as Google has over Android. That's why it's important to support open source alternatives.
And that’s why Play Integrity is based on hardware attestation and it is no longer a swiss cheese? And Win11 requires specifically TPM 2.0 (usually fTPM) not just any TPM.
You’re also entirely missing the point. Yes, you can bypass TPM based DRM to extract the unencrypted video (or just analog hole it) that’s why the game is to lock down the OS so you just can’t play it.
If all DVD players came with watermark detection instead of copy protection you wouldn’t have bootlegs because now every single client device needs to do the bypass instead of just once to extract unencrypted stream.
How many people have bypassed or hardware modded Playstations or Switches? This is what you’re talking about. Almost everyone will just accept it.
> If all DVD players came with watermark detection instead of copy protection
That is an enormous "if". Do you think Microsoft is going to or is able to enforce this on every single software provider? Even in your Android example that's just not happening, and you can happily sideload apps. You can still develop your own apps on the same Android phone that you use for banking.
> And sorry but how many people have bypassed Playstations or Switches. This is what you’re talking about. Most people will just accept it.
People accept this with consoles because a console is a device exclusively for consuming media, and all developers apply for a devkit. I just don't see that happening in the PC space. You think Microsoft is suddenly going to dump this on third party software developers and force everyone to go through certification and to buy devkits? Without a mass exodus to Linux?
How would you do it if this was the goal? First you introduce TPM to every device under the sun until it’s everywhere, then you just have to flip a switch. You write Patriot Act then stash in the drawer until it’s time...
> you can happily sideload apps.
This is extremely weak argument when the other major platform does not let you do that, right? Sideloading could go away at any moment just like that. That’s my point. There’s nothing technical stopping it.
> People accept this with consoles because a console is a device exclusively for consuming media, and all developers apply for a devkit.
Already Windows has: Smart screen (which requires code signing) and app store. Locking down the OS and Apps is hardly unprecedented. Both Windows and MacOS now have developer modes which is a software devkit equivalent.
> Without a mass exodus to Linux?
That’s why you wait until mass adoption (win11) only then start boiling the frog.
Look, I acknowledge this is slippery slope argument. But the slope is very slippery. Something is clearly going on.
>And Win11 requires specifically TPM 2.0 (usually fTPM) not just any TPM.
There are TPM 2.0 dTPMs. If the conspiracy is that they want to push people towards "hardware attestation", then they're doing a pretty bad job.
>You’re also entirely missing the point. Yes, you can bypass TPM based DRM to extract the unencrypted video (or just analog hole it) that’s why the game is to lock down the OS so you just can’t play it.
There's no need to "lock down the OS" when there's already a locked down OS on the CPU itself (intel SGX), is way more secure (because it doesn't have a bazillion userspace programs and third party drivers loaded), but for whatever reason gets way less flak than TPM.
Intel SGX was never pushed on anyone and it's also Intel only Skylake to Ice lake and requires vendors to provide consistent firmware updates to stay secure. You can’t run the entire OS in SGX enclave because it can’t do I/O on its own.
> There are TPM 2.0 dTPMs. If the conspiracy is that they want to push people towards "hardware attestation", then they're doing a pretty bad job.
No "normies" are doing TPM bypasses. That’s the point. Majority will eventually be on unbypassable TPM.
Considering that's the only way to play most DRM protected 4K videos, it's probably more of a "push" than requiring TPM. It didn't even have the fig leaf of being usable for FDE or webauthn.
>No "normies" are doing TPM bypasses. That’s the point. Majority will eventually be on unbypassable TPM.
If the bar is "normies", then you don't even need TPM. You can just slap denuvo or whatever and call it a day.
You can just not buy blurays, they were never popular on PCs anyway. TPM is being pushed on everyone upgrading to Win11. One is opt in, the other is maybe opt out if you jump through hoops, for now. Very different. Also you can do other things with SGX though admittedly it’s mostly useful on servers, but you would still use SGX indirectly via remote attestation. E.g. it’s what Signal uses for some of its core functionality.
> If the bar is "normies", then you don't even need TPM. You can just slap denuvo or whatever and call it a day.
Again, missing the point. Denuvo, Widevine, whatever, it’s all weak to crack once & enjoy but only if you control the OS. The Great TPM Conspiracy Theory is about limiting what you can do with your mainstream Windows/Linux/Macos installation, in the ways I’ve laid out earlier. Taking the ‘P’ out of PC.
Still better than putting porn site address on children’s product (wicked). And they were able to buy the redirect. They should feel very lucky indeed.
I don't know/care to know how this played out. At the time I was thinking that if I was the owner of 'wicked.com' I would change my landing page and put a split-screen with one half linking to the toy (and away from the adult material), and to the other half a respectful/non-pornographic link for 'further in to my own adult material', perhaps adding a couple more hoops to minimize innocent souls being damaged.
You’ve answered it yourself. Without TPM you have no idea if you can provide the secret to the system or if it’s compromised. Whether that secret comes from TPM or network is secondary.
If that 1¢ gets you straight to Inbox then the signal-to-noise would take a very bad nosedive. If not, then it will change nothing anyway. Phone calls cost money and there are still plenty of SPAM calls.
When you have one or more UI requirement often you usually also care about the priority of selections. Certainly language selection without priority is unusual.
from itertools import zip_longest
tab_width = 4
col_max_widths = [(v := max(map(len, a))) + tab_width - (v % tab_width)
for a in zip_longest(*table, fillvalue='')]
for row in table:
print(''.join(c.ljust(cw) for cw, c in zip(col_max_widths, row)))
Regular zip works, I just don’t like the worst case because if one row has fewer columns the entire column will be quietly dropped since builtin zip works as zip_shortest rather than raise an exception. I never use bultin zip on input data.
reply