I’ve seen many instances of some software having DRM that significantly degrades the performance of the software, or worse, the performance of the entire OS due to heavy background tasks. Prime examples include Denuvo and all those Adobe background processes. Why can’t they just simply use the TPM or the other 5 security chips embedded into the CPU so that they don’t bloat the system?
That’s not entirely true. From what I’ve read online, Valorant uses TPM keys as a method for machine bans in multi-player games. Banned players must buy a new CPU (fTPM)or TPM chip (dedicated TPM) to continue cheating. I also believe non-fTPMs get prioritized when it comes to manual review before banning, because those players are more likely to be swapping out hardware.
Unless some cheat maker manages to hack a TPM company and extract the root certificate, this makes cheating significantly more expensive. It also prevents virtualisation from working around hardware IDs, as virtual TPMs will fail the challenge/response mechanism.
I assume players with non-functioning TPMs will also be prioritised in human review as they lack the most reliable hardware identifier. Of maybe the game won’t even start, who knows.
Edit: Googling for the source where I read this originally brings up tons of threads about people without TPMs being unable to play Valorant. That’s one way to handle that, I guess.
Perhaps this is a matter of nomenclature, but I wouldn’t have thought that enforcing a ban is part of what anti-cheat software is meant to do. Sure, the anti-cheat is what alerts the game server, and then the server bans either the account or the actual machine. But the OP’s question was about anti-cheat and DRM software that impacts system performance. Someone that’s been banned from a game will not have in-game performance issues, because they’re not able to play the game at all.
I don’t think my omission of a TPM-based ban makes my answer “not entirely true”. I stand by my statement that TPMs are not suitable for the anti-cheat or DRM functionality when a game is running, and would not solve any performance issues if they were.
With that out of the way, yes you’re right that the TPM can be used for other, ancillary purposes. The typical use is to securely store certificates uniquely issued to a machine, such that the bearer of the certificate must be the certificate’s rightful owner. This is sometimes used to authenticate to corporate VPNs or Windows AD domains. But these certificates can be replaced, which makes them useless for enforcing a ban on a particular machine.
But TPMs also have a built-in, static certificate from when they were manufactured, which can only be challenged/responded using tokens from that manufacturer. If a game maker wants to coordinate with various TPM or mobo manufacturers to achieve that level of security, they’re certainly welcome to do so. But it also alienates users who don’t have or refuse to own such hardware, exactly as you’ve described. It’s a business decision, what they choose to do. Expedited manual review for broken TPM users is still fraught with issues, since there’s now an incentive to brick your own TPM and get a second chance at cheating.
There’s no free lunch in building secure systems, and that’s why anti-cheat makers will always face the uphill battle.