TPM actually provides some useful components to isolate encryption outside of Ring 0, which is a trust win. But any technology must be weighted against its power to oppress.
And its power to make the system less secure. Isolating things outside ring 0 means malware can isolate itself outside ring 0 as well, and then it’s impossible to detect or remove without throwing out the entire machine.
Which is much, much scarier than anything an ordinary rootkit might do.
TPM actually provides some useful components to isolate encryption outside of Ring 0, which is a trust win. But any technology must be weighted against its power to oppress.
And its power to make the system less secure. Isolating things outside ring 0 means malware can isolate itself outside ring 0 as well, and then it’s impossible to detect or remove without throwing out the entire machine.
Which is much, much scarier than anything an ordinary rootkit might do.