Of course, the system for it is rudimentary, and puts a disproportionate amount of control in the hands of providers. And that works very well for them too.
The software you boot sets up some state and then toggles a bit, and after that something can't be changed. The state is secure against much modification after that time, but not before that time.
The "you" that boots the device are in control, and the "you" that uses the device after that have exactly what "you" set up at boot time, neither more nor less. If both "you" are the same person, then there's no loss of control.
But of course they're often not really the same person. If you want to boot a Microsoft-signed image, the party that boots is more or less Microsoft, not you personally. But in that case, you also want to use that Microsoft-signed OS, right? So the shift towards boot-time control is then a shift from mostly-Microsoft use-time control to mostly-Microsoft boot-time control. Mostly Microsoft here, mostly Microsoft there, even if the two mostlies aren't quite the same percentage it's difficult to regard this as a significant loss of control.
Perhaps you mean that if you, as owner and legitimate user of a device, are able to perform a particular change only during a brief window of time rather than at any time of your choosing, then that limits your control over the device? If so, then my answer is yes, certainly it does. But it also limits the access of anyone who impersonates you (such as the evil exploity javascript I make your browser execute).
The best progress we’ve seen in decades came from most people using locked-down phone operating systems, followed by stricter desktop OSes. If you don’t like that trajectory, you should be focused on how to get the benefits with other trade offs. One of the first steps is respecting people enough to understand their needs rather than calling them idiots.
In theory, yes, you could implement it like you said, but that's not what happens in practice nor the direction we've been tending towards in recent times.
And it is a pretty terrible solution to the problem.
- It is also keeping the good guys outside too: Anyone that want to analyse and understand the security of the system for good reasons cannot. Excepted if explicitly allowed by the corporation X and that is a terrible security property.
- No root access also means very little control or ability to scan the system itself if your are not the X corporation controlling it. That means no possibility to mandate reviewer corporation Y to check that corporation X is doing the right thing. TPMs currently make that even worst by design, they are undocumented and complex, therefore rely on blind trust that company X do the rthe ight thing. And since the Intel management engine fiasco, we do know they are not doing the right thing.
- Bonzi Buddy and toolbar type of problem can be easily avoided by separating properly the normal user account from any admin account(the unix way). It should be painful to be admin but not impossible, just to make sure your grandma do not install a rootkit by mistake when she want her 20% coupon.
In summary: That is mainly bullshit from company X to keep full control on the entire user device, and not for their own good.
But it's the other way around, if you improve your old device by installing a up to date Android on your vendor-abandoned previously vulnerable device, you go from working banking to banned from banking.
For the pro market people want control. Pros also generally know a bit more about how to use that control and tend to be less likely to end up getting pwned immediately.
For regular users people just want shit that works. Not having control is a feature, because if you have control then the malware you are tricked into installing from "ɡeτflrêfox.com" also has control.
You can see it in the Apple ecosystem with iOS vs. macOS. Macs and iPads are now almost the same hardware. (The M chips are just A chips on 'roids.) But Macs can run other OSes and you can "sudo root." That's because Macs are for pros.
> The "you" that boots the device are in control, and the "you" that uses the device after that have exactly what "you" set up at boot time, neither more nor less. If both "you" are the same person, then there's no loss of control.
How is it orthogonal? Okay, we're not strictly speaking of only bootloader locking, but of boot-time-control locking.
Regarding Bonzi Buddy, I disagree. I think user data is as important, if not more important, than root access - which is why I'm dumbfounded when ancient server security features, like Linux's sudo system, are applied to the consumer device like a PC or a smartphone. These contexts are much better server by a sandboxing, permission-based whatever that seems to pick up steam, like the current permission systems on smartphones. Grandma's logins and bank data will be stolen from her own user account just the same as an admin account. Related XKCD[1]
I say let them be. As long as they also have the freedom to remove or not install such software, it's a good thing. Instead we have locked-down devices with the functional equivalent of such unwanted software, protected so that you cannot remove it without somehow getting root.
"Those who give up freedom for security deserve neither."
Do they deserve to not be able to shop online without fear of having their payment information stolen? Or mistyping a URL in their non native language and ending up at a scam website that installs malware? Or simply having a device that comes to a crawl such that they cannot reliably video call their grandkids?
Ugh, except that one goes overboard in the completely opposite direction, and often doesn't let me properly share data between apps even when I want to.
And no, it's not smartphones' faults. Most people just don't "get" desktop OS paradigms, or how web pages work, or any of that, and they don't really care to.
That's because they "won't miss freedom they never had".
We’re not just talking about the freedom to run software on your own device here, we’re talking about interacting with outside systems. There is an important distinction in context.
As long as it adheres to basic web standards, I believe no, the bank should have no say in what browser you use to access their webpage.
The kernel could do the same with an in-kernel process. It wouldn't have quite the same depth of defense against userspace sandbox escapes, but could be done. That's roughly how /dev/random was implemented for many years.
Look at the APIs provided — it's nothing new. It's nothing OSes haven't provided before, it's just further removed from a Chrome/FF/Safari sandbox escape, because overcoming the write-once hardware toggles is harder than getting kernel read/write primitives for a sandbox privilege escalation.