Would love to see actual security focused hardware/software features, like full OP-TEE, fTPM (or a more ideally a real physical TPM), and similar. For example, so that the OTP isn't the only way to store a disk encryption unlock key.

The existing secure boot mechanisms aren't bad, but allowing for more than one public key hash in OTP would be nice, too.

These kinds of things are expected to be on modern embedded SOCs and SOMs now.

▲

sq_ 4 hours ago | parent [-]

A physical TPM with their overall high-quality software support would be awesome.

I've spent far too much time messing around trying to get TPMs working over SPI or I2C to meet security requirements with 4Bs and 5s over the years.

▲

hedora 2 hours ago | parent [-]

You do know those are trivially bypassed with a signal processor, right? If physical access is outside your threat model, that's OK, but it makes (for example) the forced Win11 upgrade for DRM^H^H^H boot integrity enforcement seem ridiculous.

https://pulsesecurity.co.nz/articles/TPM-sniffing

	▲	bradfa an hour ago \| parent [-]
		The article you link to explains how to defeat the sniffing with TPM 2.0. But also, there’s no reason a physical TPM has to be a separate IC package.