All this talk of TPMs has me wondering: most of the premise of a TPM is that it's basically a hardware cryptographic device that lets you generate keys and do various operations with them, but never extract the key itself, right? Then, if you do actually want a TPM-like device that behaves mostly like a normal one but lets you get at the keys through some backdoor, what's stopping you from making and using one? Some manufacturer (model? batch?)-specific private key programmed at the factory that lets it authenticate itself as a genuine TPM?
> Some manufacturer (model? batch?)-specific private key programmed at the factory that lets it authenticate itself as a genuine TPM?
Yes, AFAIK every TPM comes comes with a unique "endorsement key", signed by the TPM manufacturer, which can be used to prove that it's a real TPM from that manufacturer. A quick web search found https://tpm2-software.github.io/tpm2-tss/getting-started/201... which explains how it's used.
Remote attestation is for identifying yourself to a remote that has already agreed to trust you previously. If the remote has already agreed to trust device foo based on its TPM's EKpub, then foo's TPM can later prove that it's foo by signing something with its TPM's EKpriv. There still needs to be some prior out-of-band registration to register foo's TPM's EKpub with the remote.
It makes sense for, say, an organization that provides the devices its employees use, because the organization can pre-register those devices' EKpubs in its servers and refuse to acknowledge any device that can't attest. But in the case of Windows, presumably MS is not going to become the single source of all Windows computers.
At best, they might register your device's EKpub when you install Windows and create a MS account or something, but if you already had a backdoored TPM at the time, that backdoored TPM is what will get registered.
It is also possible that MS could require a TPM with an EK certificate that is chained to a set of CAs based on some popular TPM manufacturers. That would certainly prevent you from using any device that doesn't have a "real official" TPM, but I feel this would be quite overkill of MS to do. Then again I would've said the same about an OS that requires a TPM in the first place, but here we are...
Nothing prevents you from making your own TPM implementation. There are even TPM emulators, both at the software level - mssim / ibmswtpm2 (Linux-only) - and at the hardware level - virtualized TPMs for VMs (qemu, and I believe Hyper-V too).
