Are there TPMs where the user has more control and can configure w/ a root password to control keys? I like the idea of a secure tamper resistant security device but I don't like that the owner of the PC does not retain absolute control over this device.
Even if your TPM lets you control the keys, how do you know it doesn't have a set of secret keys known to the manufacturer and/or government?
If you're using these keys as part of a disk encryption scheme, you may find that your government deems this to be an illegal attempt to prevent yourself from complying with search warrants (even if you're not suspected of any other crime).
At least historically TPMs weren't even usable at all before you perform a procedure called "taking ownership" in which you set a password. This is one of the reasons nothing much uses the TPM. The privacy/control features it had killed its usability.
> the owner of the PC does not retain absolute control over this device.
This is a bit FUD-y. TPMs are key stores, the same as what Apple calls a "secure enclave." When you activate a device with a service like Netflix or a software like Windows, they stick their key in the TPM. As a user you can clear of disconnect the TPM any time you like - you're in control of your device. What you're not in control of is Netflix and Windows - Netflix and Windows are only going to authorize 5 TPMs. If you reset your TPM, you're going to need to re-enter your license information.
Does it? I can't make my microwave work with the door open either. The whole "point" of a TPM is that the user can create, use, and delete keys inside of it, with the promise that the keys won't come out. TPMs are just smart cards. Would you say that you don't have control over a smart card because you can't get the keys out of it? I'd say I DO have control over the smartcard, because I authorize and de-authorize the keys held within, and the whole point of a smartcard is to permit authorization of a physical entity, which requires the physical entity to resist leaking its keys.
To me, operating with a well designed model, when and if I choose, with the ability for me to shut it down at any time - that's control.
In an ideal world, all smart cards/TPMs/HSMs would have these two properties:
1. Under no circumstances would they ever be sold with any private keys already on them
2. There would be no way to prove or determine after the fact whether a given key was generated internally or imported from an external source
If those two things were true, then you'd still be able to get 100% of the legitimate security benefit of them, but they'd be completely unusable for DRM and other evil things.
