zlacker

>>foodst+(OP)
Will this allow my computer, in the future, to be as locked as current smartphones? Will this allow software to refuse to run or services to refuse to work depending on third party software I have installed?

>>marcod+J9
Everything needed to lock down your computer as much as a phone already exists, there's no need for a TPM or Pluton to do so.

>>mjg59+Aa
There's a huge difference between "exists" and "is now commonly available and made easier to use". The frog-boiling is slow, but an increasingly large number of us are becoming aware of this new rise of corporate authoritarianism, and we know how it will end if we do not fight it as hard as we can.

>>userbi+3c
All Microsoft need to do to block other operating systems from PCs is change their policy around secure boot. All they need to do to prevent unsigned apps from running is change the default behaviour of Windows. The code exists. It's deployed. It's commonly available.

>>mjg59+qc
Pluton will likely close OEM/firmware security holes that could be used to escape such policy.

>>transp+yd
Via what mechanisms? Nothing we currently know about Pluton would enable it to do anything like that, as far as I can tell.

>>mjg59+5g
not much detail, but slide 12 claims: https://www.platformsecuritysummit.com/2019/speaker/seay/PSE...

> Pluton validates and boots Security Monitor

> Security Monitor validates and boots the Linux Kernel

> Application Signatures are verified by SM and Pluton before Linux Kernel loads an application

>>transp+Si
This design still relies on prior stages of the boot process handing stuff over to Pluton - if there are vulnerabilities in the OEM firmware, they're still going to be exploitable in this model.