Patrick O'Callaghan writes: > In the case of Windows 11 under a VM, as you say the software TPM can do > what it likes. In effect, there is no more guarantee than with a system > without a TPM and the message that Windows 11 can only be used where a TPM > provides a trust base might give a false sense of security.
That depends on the implementation of the virtual TPM. Although from what I'm reading it shouldn't transparently virtualize the hardware TPM (if present), the hardware TPM can be used to provide a trust root for the virtual TPM, which can then attest to the VM. I would assume that to really trust any system, you'd need to have out-of-band knowledge of the TPM's identity, whether hardware or software. It's true that there's more room for malware to wedge itself in in this setup, but in theory it should work. As for "false sense of security", that has been a Microsoft business model at least since they trumpeted "Orange Book Level C" security (the highest you can get without physically securing the device) for Windows NT in the 1990s -- which certification was invalid if you changed the physical configuration of the device (insert floppy!), connect to a network, or install software. Security is hard, the weakest link is often your personnel, you shouldn't say you care about security unless you have a specialist auditing your systems, and any other generic statements about security are marketing drivel. ;-) Regards, Steve _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
