Is there any risk in installing Linux without TPM - backdoor risk? ,Management Engine Technology [closed]

Question

I have no confidence in this technique due to the risk of backdating. Are my concerns justified. Do I lose security by disabling this option in the bios?

Windows requires this, but Linux does not. What does activating or deactivating this (Management Engine Technology) really get me?

under the motherboard settings I have a category called ME and under this I have options: PCH-FW Configuration - > configure the Management Engine
Enable Discrete TPM Enable Firmware TPM Can I safely turn this off or is it not recommended and more risk than gain?

Answer 1

In general the TPM has nothing to do with Intel ME. It is a stand-alone, passive component that has no control over the OS, and originally it would come as a discrete chip on the motherboard. (But having the "Discrete TPM" option doesn't necessarily mean the TPM chip is present; often the motherboard just has a pin header to attach a separately purchased module.)

However, Intel ME can emulate a TPM within the CPU (under the brand name "Intel PTT"), which means that a computer can have both a discrete TPM chip and a ME-emulated TPM in some cases. Only one TPM (either firmware-based, or discrete if present) should be enabled.

It is safe to disable the TPM if you're sure that nothing currently uses it. (For example, in Linux, encrypted LUKS volumes might be configured to automatically unlock with help from the TPM.)

But note that this doesn't really disable all of Intel ME – it only disables the TPM emulation. For example, it does not disable Intel AMT remote-management feature (which is also implemented via ME), and I'd be much more worried about AMT than TPM.

---

Windows (even 11) doesn't really require the TPM for daily use; it was made a baseline requirement so that manufacturers would include it and MS developers could safely assume its presence.