TPM is not designed to prevent intrusion from hackers, it's designed to turn your general purpose computer into an appliance by preventing you, the owner, from modifying the OS in your computer as you see fit (and interact with third party services at the same time, thanks to remote attestation).
It means that instead of _just patching_ the software in your computer to customize it now you have to resort to using 0days to do it like a criminal which makes it considerably harder.
It does help against hackers, of course, and the same restrictions do secure you against some attacks (evil maid attacks) but that's not the intent.
The threat model TPM protects against is:
- You log in into Netflix (or whatever)
- Netflix sends your PC the movie so you can watch it.
- Your PC now has the movie in memory.
- You extract the movie from your PC's memory and you can now watch it forever without Netflix's permission.
What the "trusted" in Trusted Platform Module means is that with TPM they can trust your PC to not let you do that.
It's a double-edged sword, right? On the one hand, Windows 12 can be completely iOS-like and you can't do anything about it. On the other hand, someone with physical access to your machine can't replace your OS that sends them your disk encryption password as soon as you get a DHCP lease.
Chrome OS really got this one right. You can disable all the security, but there is hardware that tells you that happened. It can also tell your employer so you don't download their IP to a laptop running malware. That's all it's ever been used for; no matter how much people try to make DRM a thing, it's never once worked. Every Netflix-exclusive show is easily downloadable on Usenet.
The sword analogy is getting a bit awkward here, but the people making the sword only care about how well it protects media and software - because they want their marketplaces (app/music/movie/game stores) to be as attractive as possible to media conglomerates.
I'm uncertain. Microsoft isn't making any real money off of media. They sell licenses to use Outlook and rent you some computers, and there's their income.
Of course they make money that way, because Netflix and co want DRM and they don't want you to stop watching Netflix on Windows and have to do it on your phone. So they'll go and make TPMs happen.
Also, Microsoft makes a lot of money from videogames, and TPMs help enforce microtransactions in single player games if nothing else.
That's just a game of chicken neither player wants to admit. "Netflix drops Windows 11, Microsoft launches new subscription service," ain't gonna be good for Netflix.
It means that instead of _just patching_ the software in your computer to customize it now you have to resort to using 0days to do it like a criminal which makes it considerably harder.
It does help against hackers, of course, and the same restrictions do secure you against some attacks (evil maid attacks) but that's not the intent.
The threat model TPM protects against is:
- You log in into Netflix (or whatever)
- Netflix sends your PC the movie so you can watch it.
- Your PC now has the movie in memory.
- You extract the movie from your PC's memory and you can now watch it forever without Netflix's permission.
What the "trusted" in Trusted Platform Module means is that with TPM they can trust your PC to not let you do that.