zlacker

[parent] [thread] 4 comments
1. grishk+(OP)[view] [source] 2022-07-30 01:15:50
> Wouldn't you prefer that this data only be able to be decrypted by a computer that can prove to the world it booted a clean OS image with all the latest security patches installed?

I trust myself more than I trust anyone or anything else. It's as simple as that. I don't even slightly trust Microsoft, Google, or Apple.

Your logic is built on an invalid premise that these companies can, in fact, be trusted.

> Remote attestation gives more control to the owners of data to dictate how that data is processed on third-party machines (or even their own machines that may have been compromised).

This is exactly what I want to avoid. It's my device. It should only ever serve me, not anyone else, including its manufacturer and/or OS developer. It should not execute a single instruction that isn't in service of helping me achieve something.

Also, the concept of ownership can simply not be applied to something that does not obey the physical conservation law, i.e. can be copied perfectly and indefinitely.

replies(1): >>fleven+v
2. fleven+v[view] [source] 2022-07-30 01:20:52
>>grishk+(OP)
If I want to buy a device that can generate a proof I can share with others to increase their trust in me, you shouldn't be able to stop me. Implemented properly, these machines can still boot whatever custom software you want; you don't have to share the proof of what booted with anyone.
replies(2): >>grishk+X >>nulbyt+zP
◧◩
3. grishk+X[view] [source] [discussion] 2022-07-30 01:26:54
>>fleven+v
I'm not saying that secure boot is inherently a bad idea. It's a good idea but only if all signing keys are treated equally. Right now, they aren't. AFAIK modern motherboards, those of them that use UEFI, come with Microsoft keys preloaded — and that preferential treatment is the part that's not okay. In an ideal world, all devices that support secure boot should come with a completely empty keystore so that you could either trust Microsoft keys or generate your own key pair and trust that. Possibly re-sign the Windows bootloader with it even.

It's much, much worse with mobile devices. You can re-lock the bootloader on a Pixel with your custom key, but you still can't touch TrustZone and you'll still get a warning on boot that it's not running an "official" OS build.

replies(1): >>mindsl+F01
◧◩
4. nulbyt+zP[view] [source] [discussion] 2022-07-30 13:28:41
>>fleven+v
You are correct, but I think that misses the point: Neither you nor I should be forced to buy only devices that run specified software as determined by a third-party. You are making this out to be a choice, that if it's available and you want it, you should be able to buy it. However, the worry is not over a choice to buy such devices, but over a mandate that only such devices be available and no others.
◧◩◪
5. mindsl+F01[view] [source] [discussion] 2022-07-30 15:05:09
>>grishk+X
This logic works for software signing, but not remote attestation. For remote attestation, the "tamper-proof-ness" is the root of the trust chain, and the signing keys are individually baked into the specific piece of hardware and not controlled by a third party. You seem to be hoping that we can disrupt that chain of trust by having manufacturers not record the public keys associated with each piece of hardware (such that individuals could create their own signing keys on open hardware), but that's just not going to happen.
[go to top]