The author seems misinformed about the purpose of TPM to DRM schemes.
The purpose of a TPM, in this case, is not to provide encryption, but instead to provide so-called ‘authenticity’. A TPM with its attestation capabilities can allow a remote validator to attest the operating system and system software you are running via the PCRs which are configured based on it, with Secure Boot preventing tampering. [1] Google tried to implement APIs to plug this into the Chrome browser, which was later abandoned after backlash. [2]
In this case, the TPM can allow services like Netflix or Hulu to validate the hardware and software you are currently running, which provides the base for a hardware DRM implementation as stated in the article. Don’t be surprised if your non-standard OS isn’t allowed to play back content due to its remote validation failing if this is implemented.
TPMs also have a unique, cryptographically verifiable identifier that is burnt into the chip and can be read from software. This allows for essentially a unique ID for each computer that is not able to be forged, as it is signed by the TPM manufacturer (in most cases Intel/AMD as TPMs on consumer hardware are usually emulated on the CPUs TEE). If you were around for the Pentium III serial controversy, this is a very similar issue. It's already used as the primary method of banning users on certain online video games, but I wouldn’t be surprised to see it expand to services requiring it to prove you aren’t a “bot” or similar if it gets wider adoption.
There is a great article going more into detail about the implications of TPM to privacy from several years ago, which was the basis for this reply. [3]
I'm extremely familiar with the capabilities of TPMs (I've worked on deploying remote attestation services at multiple companies), but here's the thing - streaming vendors don't use TPM-based remote attestation. None of them. It doesn't happen. Could it happen? Yes, but it would buy almost nothing - remote attestation is something that's viable in enterprise environments where you can bind TPM identity to inventory entries, and not in the real world where you could just plug in a second TPM on a USB adapter and fake the measurements. And how would you prove the attestation came from the same device that has the reported GPU key? Remote attestation is only useful when bound to other hardware keys, and there's no way within current specs to perform binding between the TPM and the GPU - pirates could just pass the attestation query to another machine.
Depends on your definition. If you count video game anti-cheating software as DRM, the answer is yes. Apart from that, I’ve only currently seen TPMs used as a hardware identifier (in the same way a monitor serial is) for software licensing. The capability does exist however.
The purpose of a TPM, in this case, is not to provide encryption, but instead to provide so-called ‘authenticity’. A TPM with its attestation capabilities can allow a remote validator to attest the operating system and system software you are running via the PCRs which are configured based on it, with Secure Boot preventing tampering. [1] Google tried to implement APIs to plug this into the Chrome browser, which was later abandoned after backlash. [2]
In this case, the TPM can allow services like Netflix or Hulu to validate the hardware and software you are currently running, which provides the base for a hardware DRM implementation as stated in the article. Don’t be surprised if your non-standard OS isn’t allowed to play back content due to its remote validation failing if this is implemented.
TPMs also have a unique, cryptographically verifiable identifier that is burnt into the chip and can be read from software. This allows for essentially a unique ID for each computer that is not able to be forged, as it is signed by the TPM manufacturer (in most cases Intel/AMD as TPMs on consumer hardware are usually emulated on the CPUs TEE). If you were around for the Pentium III serial controversy, this is a very similar issue. It's already used as the primary method of banning users on certain online video games, but I wouldn’t be surprised to see it expand to services requiring it to prove you aren’t a “bot” or similar if it gets wider adoption.
There is a great article going more into detail about the implications of TPM to privacy from several years ago, which was the basis for this reply. [3]
[1]: https://github.com/MicrosoftDocs/azure-docs/blob/main/articl...
[2]: https://github.com/explainers-by-googlers/Web-Environment-In...
[3]: https://secret.club/2021/06/28/windows11-tpms.html