- no, I don't need protections for the side channel, I never asked for them
- no, I don't need a unique identifier, who is the demented person who asked you for it
- no, I am not going to glitch the power supply, and even if I did it means I am interested in doing it and wish it worked instead I was prevented from doing it
- no, I don't care at all about having a hw store for certificates, which are ephemeral and dropped from above anyway so what am I supposed to trust?
- and so on
"not secure by design" nowadays comes close to being a coveted feature
Gee I wonder why. /s Such statements are tedious to say the least, preventions have been implemented, obviously it curtails such abuse, obviously that reduces frequency.
> the whole TPM module isn't really needed in my opinion
It's nice that you have no key material that would need to be kept strictly on the device, but a lot of users actually do. We don't want people's Webauthn tokens carried away, we don't want Bitlocker keys stolen, most certainly we do not want biometric authentication data stolen. Maybe you have reduced that risk to near zero, but that's not the case for the vast majority of users.
The frequency dropped even before TPM was deployed on most machines and I guess most systems still haven't it enabled today. Reason for that is that there are simply more direct and profitable ways to get system access, see most applications of ransomware for example.
> It's nice that you have no key material
You can use many different types of authenticators. If you use Windows Hello you need TPM and they try to hinder you adding alternative means without TPM being activated. But that is a different story and solely on Microsoft. No need to falsely or passive aggressively suggest that a system would be insecure without these specific means.
I interpreted your sentence as two disjoint statements and thought you find UEFI/SB and TPMs all useless. But yes, it indeed started dropping before. TPMs don't deal with that topic unless we're speaking of Trusted Boot, which is a whole separate concept.
> [...] hinder you adding alternative means without TPM being activated. But that is a different story and solely on Microsoft.
No it's not solely on Microsoft. If there isn't a safe place to store keys, it makes sense to dissuade storing them. Fairly obvious, isn't it?
> You can use many different types of authenticators.
It's not a very realistic suggestion for most users and use-cases. Having a built-in module that does the job has a lot of upsides.
> No need to falsely or passive aggressively suggest that a system would be insecure without these specific means.
I didn't say such a system would be insecure, however it can't safely store key material, it would be less secure in a bunch of contexts.