Other than that, it requires a TPM device. If you're into conspiracy theories, I'll just say that one of my dudes believes that the TPM is not there because you want it as the consumer, but rather is there to take advantage of you (hence why it is required).
Also, my computer doesn't support the TPM device, despite I upgraded the whole hardware 3 years ago. This is the main reason games such as
Valorant isn't playable.
At first I wanted to avoid ranting about Windows 11's requirements, specifically TPM and its friends. Funny that Ravager mentioned Valorant's rootkit anti-cheat actually requiring TPM 2.0 and everything else that goes along with it.
Trusted Computing is the keyword. The
first two paragraphs on Wikipedia are quite decent but require elaboration.
Let's go by the principal claims first.
TC allows to ensure integrity of the software running on a hardware. In short: the UEFI (BIOS) verifies itself, then verifies that the OS loader program is also signed by a trusted signature (Microsoft). This chain of trust continues until your Windows is up and running. Then it's on Windows to verify the software and drivers that it is running. The goal is to make it impossible to run bad, untrusted programs (malware).
This is not all, of course. The software running can verify that nothing has been changed beneath it. Whether Samsung Knox (disables itself permanently when custom firmware/phone rooted), Google's SafetyNet or whatever MS calls theirs on Windows (begins with "Trusted Boot"). In a "trusted environment"
the running software decides whether
your computer is safe enough for it to run on.
This means:
- You can install another OS only if you can disable SecureBoot / add your own keys to it & sign the new OS' bootloader. Else it won't run. Did the manufacturer allow you to touch these settings? Did you know to ask?
- You cannot change your current, pre-installed OS if SecureBoot is engaged:
- The OS might not allow you to (lacking root/Administrator rights like on Android)
- The OS will detect the tampering and shut down some modules, software will refuse to run etc. (real vulnerabilities will still work though, undetected)
Let's quote a Linux Debian developer and former project lead, SteveMcIntyre, on the page about
SecureBoot (
edit diff) he wrote:
What is UEFI Secure Boot NOT?
(1) UEFI Secure Boot is not an attempt by Microsoft to lock Linux out of the PC market here; SB is a security measure to protect against malware during early system boot. Microsoft act as a Certification Authority (CA) for SB, and they will sign programs on behalf of other trusted organisations so that their programs will also run. (2) There are certain identification requirements that organisations have to meet here, and code has to be audited for safety. But these are not too difficult to achieve.
(3) SB is also not meant to lock users out of controlling their own systems. Users can enrol extra keys into the system, allowing them to sign programs for their own systems. Many SB-enabled systems also allow users to remove the platform-provided keys altogether, forcing the firmware to only trust user-signed binaries.
Underlining is mine.
He's wrong on 3 occasions:
1: Not an attempt to lock out Linux
Except practically no computer/motherboard manufacturer preinstalls Linux distributions' keys into UEFI to enable a seamless installation of anything but Windows, thanks SecureBoot! (bla-bla MS is not to blame here bla-bla). Microsoft is de-facto the only entity who can sign stuff for SecureBoot to accept.
2: There are "certain" requirements that are "not too difficult to achieve"
Such as the most popular open source bootloader, GRUB2 (uses GPLv3 license to avoid
Tivoization), cannot ever be signed, because:
4. Code submitted for UEFI signing must not be subject to GPLv3
source
PS: If you read on in the source and questions come up, then please read
this discussion.
3: SB is also not meant to lock users out of controlling their own systems.
Except this is exactly why Microsoft requires no GPLv3, because that license mandates to either provide instructions to unlock the device, or if that were otherwise not possible, the private keys to create own trusted signatures.
Microsoft's Windows on ARM systems are locked down HARD by default. I haven't followed it, but to get an idea, here's a
Surface RT forum thread where "not meant to lock users out" systems have to be "hacked" with a risk of "bricking" to install custom OS.
After all, the same principles are used in the majority of "branded" hardware you buy today: from computers to phones and "smart" TVs. You are only the user, less of an owner.
Support has ended after 2 years? Please buy a new device. The PR will spin it into being a net positive for the planet somehow.
Valorant is likely using anti-cheat that requires the TPM. The TPM can be used to verify code as well as execute some code securely, features that can improve the effectiveness of the anti-cheat solution. Windows 10 does not require a TPM so on such platforms the use is likely optional. Windows 11 does so in theory all users should have one meaning the use of TPM can be enforced.
He's totally right, this is what it comes down to. That the software can demand the system to be compliant with all these security (lockdown) features. If you modify your system, this software will refuse to run. This is the perfect setup for an anti-cheat: to prevent the user modifying how the game works. Now that you're not permitted to modify the system (even if owner and administrator), that means someone's software is the gatekeeper. The only decision you are allowed to make is to (un)install the software, nothing else.
Soon enough this TPM 2.0 + SecureBoot + Microsoft's Trusted Boot bundle will be required to watch content from streaming services in HD. They already have annoying limitations and invasive DRM to permit you 4K/HDR content. However that's only the beginning. And whatever else they might come up with.
Trusted computing is for providing a trusted environment for
someone else's software running
on your computer. To make sure that neither the user or nor a virus can alter the execution. Though most of the examples I see today are limiting the actual user and rarely the malware, which will just find another way to get money out of your bank account ("Microsoft Tech Support" phone calls from India)