The freedom problem is this: you will not be able to roll your own keys.
This is probably the biggest nail in the coffin for a ton of computers out there. In theory you could simulate via software the workings of a TPM. If you built a kernel module the browser would have no real way of knowing if it sent requests to a piece of hardware or a piece of software. But the fact that you would have to use Microsoft's or Apple's keys makes this completely impossible.
The hardware problem is this: you will not be able to use older or niche/independent hardware.
As we established that software simulation is impossible, this makes a ton of older devices utter e-waste for the near future. Most Chromebooks themselves don't have a TPM, so even though they are guaranteed updates for 10 years how are they going to browse the web? (maybe in that case Google could actually deploy a software TPM with their keys since it's closed source). I have a few old business laptops at home that have a 1.X version of the TPM. In theory it performs just as well as TPM 2.X, but they will not be supported because, again, I will not be able to use my own keys.
Lastly there is the social problem: is DRM the future of the web?
Maybe this trusted computing stuff really is what the web is bound to become, either using your certified TPM keys or maybe your Electronic National ID card or maybe both in order to attest the genuineness of the device that is making the requests. Maybe the Wild West era of the web was a silly dream fueled by novelty and inexperience and in the future we will look back and clearly see we needed more guarantees regarding web browsing, just like we need a central authority to guarantee and regulate SSL certificates or domain names.
Yes completely impossible to fake by design. Otherwise whats the point? But I think the root of trust is whatever signs the hardware TPM module. So, Intel, AMD and Apple.
If I understand it correctly, the secure chain of trust will be something like, hardware TPM module -> secure boot -> windows signed kernel -> Chrome (signed binary). Its not clear to me if desktop linux will be able to participate in this ecosystem at all - which is ironic given how much google uses linux. Maybe a couple of the big distributions like Canonical will be able to sign their linux kernel builds.
> Lastly there is the social problem: is DRM the future of the web?
Its opt-in by website operators at least. Assuming this happens, there are two big questions in my mind:
1. How much of the web will go dark to anyone not using a corpo software stack? I imagine bank websites will adopt this technology immediately, while sites like HN, personal blogs and wikipedia won't touch this stuff. How much of the web will stop working on my terrible "hacker" computer where I use firefox on linux?
2. How will this interact with browser extensions and dev tools? If websites won't function outside of chrome, will we be able to continue to drive chrome programmatically? Will chrome's dev tools still work? Will websites be told about my ad blocker extensions? Will webdriver (and similar tools) be blocked?
If you can detect if anyone is using a system that supports this then you can ban only them instead of allowing only them, right?
Maybe we should nip this in the bud? If even 10% of sites banned anyone with this enabled from day zero before anyone else is requiring it, users would turn it off and then it wouldn't be there for anyone else to use.