Am I less secure in my situation if I disable the TPM chip in my BIOS?

Hi - I wanted to see if folks have any insights that might help a decision I’m trying to make…

My system (details at the bottom) has an AMD chip that seems to be impacted by a bug in the fTPM, causing occasional full system stuttering:

I’ve installed all the latest firmware updates from HP, and it appears that the fix for that issue hasn’t been incorporated by them, the motherboard manufacturer, or whoever is responsible. While the stutters aren’t constant, they are pretty annoying (seem to be happening at especially inopportune times recently), so I’m considering disabling the fTPM chip in the system BIOS to see if that helps.

However, I’ve seen several places where fTPM is mentioned as an important component of the future of Linux security, part of the future Fedora vision, etc. - however I wasn’t able to find (within the Docs site, anyway) specific current things that it would be used for, other than full-disk encryption (which I don’t have in place).

In that situation, does anyone have any insights into what risks (if any) would be created by disabling TPM? Are there parts of the Fedora Workstation platform that would be impaired by doing so, or is most usage future-facing?

Thanks for any advice!

System:
  Kernel: 6.1.14-200.fc37.x86_64 arch: x86_64 bits: 64 compiler: gcc
    v: 2.38-25.fc37 Desktop: GNOME v: 43.3 tk: GTK v: 3.24.37 wm: gnome-shell
    dm: GDM Distro: Fedora release 37 (Thirty Seven)
Machine:
  Type: Laptop System: HP product: HP Pavilion Gaming Laptop 15-ec2xxx v: N/A
    serial: <superuser required> Chassis: type: 10 serial: <superuser required>
  Mobo: HP model: 88DD v: 96.33 serial: <superuser required> UEFI: AMI
    v: F.23 date: 10/20/2022
Battery:
  ID-1: BAT0 charge: 45.8 Wh (100.0%) condition: 45.8/45.8 Wh (100.0%)
    volts: 12.6 min: 11.6 model: HP Primary serial: <filter> status: full
  Device-1: apple_mfi_fastcharge model: N/A serial: N/A charge: N/A
    status: N/A
CPU:
  Info: 6-core model: AMD Ryzen 5 5600H with Radeon Graphics bits: 64
    type: MT MCP arch: Zen 3 rev: 0 cache: L1: 384 KiB L2: 3 MiB L3: 16 MiB
  Speed (MHz): avg: 1408 high: 3300 min/max: 1200/4280 boost: enabled cores:
    1: 1200 2: 1200 3: 3300 4: 1200 5: 1200 6: 1200 7: 1200 8: 1200 9: 1200
    10: 1200 11: 1604 12: 1200 bogomips: 79049
  Flags: avx avx2 ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 svm
Graphics:
  Device-1: NVIDIA TU117M vendor: Hewlett-Packard driver: nvidia v: 525.89.02
    arch: Turing pcie: speed: 2.5 GT/s lanes: 8 ports: active: none
    empty: HDMI-A-1 bus-ID: 01:00.0 chip-ID: 10de:1f99
  Device-2: AMD Cezanne [Radeon Vega Series / Radeon Mobile Series]
    vendor: Hewlett-Packard driver: amdgpu v: kernel arch: GCN-5 pcie:
    speed: 8 GT/s lanes: 16 ports: active: eDP-1 empty: none bus-ID: 05:00.0
    chip-ID: 1002:1638 temp: 44.0 C
  Device-3: Luxvisions Innotech HP TrueVision HD Camera type: USB
    driver: uvcvideo bus-ID: 3-3:3 chip-ID: 30c9:0035
  Display: wayland server: X.org v: 1.20.14 with: Xwayland v: 22.1.8
    compositor: gnome-shell driver: X: loaded: amdgpu,nvidia
    unloaded: fbdev,modesetting,nouveau,vesa alternate: nv dri: radeonsi
    gpu: amdgpu display-ID: 0
  Monitor-1: eDP-1 model: BOE Display 0x094d res: 1920x1080 dpi: 142
    diag: 395mm (15.5")
  API: OpenGL v: 4.6 Mesa 22.3.6 renderer: AMD Radeon Graphics (renoir LLVM
    15.0.7 DRM 3.49 6.1.14-200.fc37.x86_64) direct-render: Yes
Audio:
  Device-1: NVIDIA vendor: Hewlett-Packard driver: snd_hda_intel v: kernel
    pcie: speed: 2.5 GT/s lanes: 8 bus-ID: 01:00.1 chip-ID: 10de:10fa
  Device-2: AMD ACP/ACP3X/ACP6x Audio Coprocessor vendor: Hewlett-Packard
    driver: N/A pcie: speed: 8 GT/s lanes: 16 bus-ID: 05:00.5 chip-ID: 1022:15e2
  Device-3: AMD Family 17h/19h HD Audio vendor: Hewlett-Packard
    driver: snd_hda_intel v: kernel pcie: speed: 8 GT/s lanes: 16
    bus-ID: 05:00.6 chip-ID: 1022:15e3
  Sound API: ALSA v: k6.1.14-200.fc37.x86_64 running: yes
  Sound Server-1: PulseAudio v: 16.1 running: no
  Sound Server-2: PipeWire v: 0.3.66 running: yes
Network:
  Device-1: Realtek RTL8111/8168/8411 PCI Express Gigabit Ethernet
    vendor: Hewlett-Packard driver: r8169 v: kernel pcie: speed: 2.5 GT/s
    lanes: 1 port: e000 bus-ID: 02:00.0 chip-ID: 10ec:8168
  IF: eno1 state: down mac: <filter>
  Device-2: Realtek RTL8852AE 802.11ax PCIe Wireless Network Adapter
    vendor: Hewlett-Packard driver: rtw89_8852ae v: kernel pcie: speed: 2.5 GT/s
    lanes: 1 port: d000 bus-ID: 03:00.0 chip-ID: 10ec:8852
  IF: wlo1 state: up mac: <filter>
  IF-ID-1: enp5s0f3u1c4i2 state: down mac: <filter>
Bluetooth:
  Device-1: Realtek Bluetooth Radio type: USB driver: btusb v: 0.8
    bus-ID: 1-4:2 chip-ID: 0bda:2852
  Report: rfkill ID: hci0 rfk-id: 0 state: up address: see --recommends
Drives:
  Local Storage: total: 476.94 GiB used: 249.43 GiB (52.3%)
  ID-1: /dev/nvme0n1 vendor: Samsung model: MZVLQ512HALU-000H1
    size: 476.94 GiB speed: 31.6 Gb/s lanes: 4 serial: <filter> temp: 33.9 C
Partition:
  ID-1: / size: 475.35 GiB used: 249.07 GiB (52.4%) fs: btrfs
    dev: /dev/nvme0n1p3
  ID-2: /boot size: 973.4 MiB used: 321.3 MiB (33.0%) fs: ext4
    dev: /dev/nvme0n1p2
  ID-3: /boot/efi size: 598.8 MiB used: 52.2 MiB (8.7%) fs: vfat
    dev: /dev/nvme0n1p1
  ID-4: /home size: 475.35 GiB used: 249.07 GiB (52.4%) fs: btrfs
    dev: /dev/nvme0n1p3
Swap:
  ID-1: swap-1 type: zram size: 8 GiB used: 0 KiB (0.0%) priority: 100
    dev: /dev/zram0
Sensors:
  System Temperatures: cpu: 52.0 C mobo: N/A gpu: amdgpu temp: 45.0 C
  Fan Speeds (RPM): fan-1: 0 fan-2: 0
Info:
  Processes: 396 Uptime: 1h 9m Memory: 14.97 GiB used: 5.27 GiB (35.2%)
  Init: systemd v: 251 target: graphical (5) default: graphical Compilers:
  gcc: 12.2.1 Packages: pm: rpm pkgs: N/A note: see --rpm pm: flatpak pkgs: 46
  Shell: Bash v: 5.2.15 running-in: gnome-terminal inxi: 3.3.25

Typical answer - it depends. Depends on your case - the level and nature of security you really need. Windows specific security features (e.g., secure boot) were disabled in Linux machines for years but that didn’t make Linux worse from security stand point. I think that for most normal and advanced users encrypted disk, enforced SELinux, strong password and proper security practices are way more effective than presence/enablement of a single measure, e.g., TPM. TPM is good when properly implemented, but even best features should not stand in user’s way of achieving daily objectives. IMHO, TPM will make more sense when UKI makes its way to Fedora normal installs - Fedora 38 Plots Path To Unified Kernel Support - Phoronix.

3 Likes

Thanks very much for the perspective - and yes, I think I was getting hung up on the individual feature, so the reminder that TPM alone does not cause the rest to crumble was very necessary. And in the whole “what is your threat model” discussion…I have no reason to believe I’m a special target of, or of special interest to, anyone at all, so the things you mentioned make more sense as priorities.

Thanks also for the link about Unified Kernel Support - I had read something about that before but hadn’t quite connected the dots.

Thank you!

1 Like