Is there a way to physically remove the Trusted Platform Module? I will be running a Linux-only system and will never have a need for it. Also, I don’t trust it as I’m an unreasonable, and cynical git. That said, my concerns are not without merit:
2 Likes
Should be enough to just remove the TPM module loaded by the Linux kernel. Without the “drivers” loaded, no application can access (theoretically).
1 Like
That’s cool and all, but I want to “Physically” remove the chip, if possible.
1 Like
If it is soldered, it may be more complicated… :}
Not sure if the FW uses a discrete TPM module, as it may just be using the fTPM, which means that you’d need to rip out the processor to remove the TPM.
3 Likes
Pretty sure it’s using a firmware TPM. So you’d have to desolder the SoC…
I wouldn’t recommend that.
4 Likes
Apparently Linus Torvalds is not a fan of the TPM either.
1 Like
The TPM in the Framework 16 is integrated into the SoC. It’s a Microsoft Pluton TPM. Even though there is a kernel module loaded for it is not used by anything in Linux by default. You can interact with it using tpm2-tools. If you don’t want to use it, you can also block the tpm related kernel modules from loading as mentioned above.
14 Likes
Why is it the more I go down this TPM rabbit-hole, the more I am divided between “It’s probably fine.” and “Where is my tin-foil hat?” The Reddit posts alone are all over the place.
https://gabrielsieben.tech/2022/07/25/the-power-of-microsoft-pluton-2/
1 Like
My opinion is that in Windows the tin foil hat is more justified.
In Linux the only thing exposed is the TPM2 implementation. If you don’t use the TPM2 it’s some dormant RTL.
5 Likes
Amazing what the industry does to just remain in the “positive” list of some manufacturers - e.g. Microsoft …
It is amazing also, what the Opensource Community does, to evade the limitations put in place :} It is a perfect exercise to understand how it works, and know what it implies and finally realize what it will mean in the future to come…
I’m so happy I grew up in the 80ies… I made so much crap, but there is no recording of it available !!! 
3 Likes
So, now that I actually have my framework 16 and am playing through the BIOS, I see The TPM options under security.
Why is it that I haven’t seen anybody mention that you can just turn off TPM in the BIOS setup?
Is this not recommended for some reason?
This virgin computer will never see Windows.
Sure you can disable in BIOS if you want. The BIOS will no longer measure the boot process into PCRs and you can no longer audit (like fwupd does).
But functionally should be totally fine.
2 Likes
Thank you, Mario.
I guess those are functionalities I will want if I have any issues but so far things are going well.