1. You don't trust people with physical access to the computer. For the average home user, this means you consider the hardware owner a threat.
2. You want to protect against malware that has already taken complete control over the OS at runtime, and that wants to write itself to disk or the BIOS so that it survives a reboot. At this point, the attacker has already won, so... This might make sense on a stateless appliance like a Chromebook where you do factory wipes a lot.
So TPM mostly "protects" against the hardware owner, or against malware that already has 100% access to all user data, and just wants to stick around a bit longer.
Personally, I'd go with TPM being net negative, because the primary threat model it "protects" against is the actual hardware owner.
It does require someone to steal the entire laptop rather than just the hard drive, but… I don’t think that this was an actual worry, and the security result of encrypting to a device with the key stored in the same device is much like not encrypting.
It also makes it a lot harder to bypass the login screen, even if someone takes the whole laptop.
In case you weren't aware, the ability to do a passwordless unseal can be tied to not tampering with the bootchain. It's not entirely bulletproof, but it's beyond the abilities of most thieves to bypass this (versus just popping the drive in another machine).
I think you are missing some parts in the industrial use.
The TPM is also used for device authentication. It prevents the leakage of certificates that are used to ensure that you are using the device you claim to be using. This is highly relevant when having remote access from users and one would like to enforce tiering rules together with privileged access workstations.
Furthermore, the second example in which "the attacker already won" is missing the context. The attacker does not want to access the computer (in the industrial example), it wants to use to escalate access within its organization. The TPM can be used for remote attestation, that is, a remote server can verify the integrity of the boot process of the device before giving access to remote resources. In other words, it can be used to check for device compliance.
It is definitely a positive for enterprise security.
Interesting perspective. While I know secure boot has some downsides, on the whole I think it’s a pretty good thing.
I guess you’re looking at it as a freedom for gramps to dual boot a homebrew OS, and I’m looking at it as taking away gramps’ freedom to install persistent malware that requires buying new hardware to get rid of.
1. You don't trust people with physical access to the computer. For the average home user, this means you consider the hardware owner a threat.
2. You want to protect against malware that has already taken complete control over the OS at runtime, and that wants to write itself to disk or the BIOS so that it survives a reboot. At this point, the attacker has already won, so... This might make sense on a stateless appliance like a Chromebook where you do factory wipes a lot.
So TPM mostly "protects" against the hardware owner, or against malware that already has 100% access to all user data, and just wants to stick around a bit longer.
Personally, I'd go with TPM being net negative, because the primary threat model it "protects" against is the actual hardware owner.