zlacker

>>pabs3+(OP)
It isn't just "make ad-blocking (near) impossible" as the current title of the submission suggests. It is:

Make browsing the internet possible only on Chrome, Safari or Edge (with no modifications or extensions). No competition allowed in browsers.

Make browsing the internet possible only on macOS, Windows, Android or iOS (no custom Android distributions, definitely no LineageOS or GrapheneOS or whatever). No competition allowed in Operating Systems, especially no open source operating systems.

Make crawling the internet possible only to Google. No private crawling and no competing search engines.

Let me know if I've missed anything...

>>Adverb+T5
iirc remote attestation is reliant on hardware attestation, which means these websites will only run on authorized DRM-enforcing hardware and architectures. Only Intel, AMD, Qualcomm and the like. No open-source firmwares, architectures or hardware.

>>mozbal+S8
What attestation the website accepts entirely depends on the configuration. There's nothing in the spec that will prevent attestations for Linux computers. Linux already works perfectly fine with secure boot and such, I don't see why a signed bootloader starting a signed attestation engine wouldn't be trusted by third party websites.

It'll kill open platforms like the rare open source RISC-V implementations, but for almost any platform in use today this can be implemented.

The real question is "but will it", and in practice websites will probably only whitelist Chrome, Edge, and (reluctantly) Safari.

>>jeroen+Ld
> I don't see why a signed bootloader starting a signed attestation engine wouldn't be trusted by third party websites.

Do you mean a kind of Linux where root cannot do anything he wants? Like Android?

>>codedo+Eh
Yes, a kind of Linux like Ubuntu or Fedora that already boots with secure boot enabled with full support of TPMs and similar technologies. The kind of Linux 99% of Linux users are running today.

More secure variants like Android, leveraging SELinux and such, help with sandboxing but I don't think that SELinux is a struct requirement.

>>jeroen+Zm
Huh? Fedora defaults to secure boot's being off and it is complicated to get it turned on.

Even after you manage to turn it on, it only verifies the kernel and cannot do anything about malware hiding in /usr. There is no Linux distro AFIAK that has verification of the entire system like ChromeOS, MacOS, iOS, Android and Windows have.

>>holler+RV5
Fedora's own website [1] states:

> Fedora includes support for the UEFI Secure Boot feature, which means that Fedora can be installed and run on systems where UEFI Secure Boot is enabled. On UEFI-based systems with the Secure Boot technology enabled, all drivers that are loaded must be signed with a valid certificate, otherwise the system will not accept them. All drivers provided by Red Hat are signed by the UEFI CA certificate.

Running your own secure boot CA is not enabled out of the box (for obvious reasons), but that does not pose a problem on most systems. Secure boot only needs special care if you need to load unsigned kernel modules (DKMS, Nvidia) or if you run on a super duper special Microsoft device that doesn't have the third party CA certificate by default.

[1]: https://docs.fedoraproject.org/en-US/fedora/latest/system-ad...

>>jeroen+o36
Nothing you wrote contradicts anything I wrote. Specifically, although Fedora support secure boot, if you follow the standard install process, you will get a system with secure boot turned off. I know because I've installed Fedora on a system capable of secure boot.

And, again, it is complicated to get it turned on. How complicated? Take a look:

https://nwildner.com/posts/2021-04-10-secureboot-fedora/

>The kind of Linux 99% of Linux users are running today.

I severely doubt that even 5% of Linux installs have secure boot turned on because of how complicated it is to get it working. Specifically I imagine that the complicated instructions on the page I just linked will need to be modified depending on the specific secure-boot firmware.