zlacker

You can't. On most modern systems there is software that runs with privileges above your OS kernel that you can't remove or modify because it is signed with the manufacturer's key. The key is part of a "trusted" boot chain. The root of trust is usually burned into the silicon in the fuses or the initial bootloader (boot ROM).

TEE on Android, for example. Intel ME on PCs, and probably TPMs also have a firmware of their own. Secure Enclave on Apple devices.

There's an outstandingly good perspective on the issue in another thread: >>36859465

replies(2): >>judge2+KI >>JohnFe+Wf1

>>grishk+(OP)
Even so, on most of the platforms you list you can disable the security checks and attestation mechanisms with a custom OS, which mitigates the risk of letting a site know that your computer is running any specific version of an OS with the proper anti-tamper checks. If you find a device that doesn’t, you can just not buy that device. At a certain point it’s not constructive to say “you can’t build that” when there is enough of a consumer benefit/desire and business incentive to do so.

replies(1): >>grishk+AP

>>judge2+KI
The problem is not someone knowing something. The problem is that since 99% of people use their devices in stock configuration, "no attestation available" would be interpreted as "attestation not passed". We're already seeing that with banking apps on Android. It doesn't matter whether you've rooted your stock ROM or running something without Google services, the app will refuse to work either way.

replies(1): >>JohnFe+ug1

>>grishk+(OP)
But you can still get computers that have none of that stuff, or where it can be disabled.

replies(1): >>bayind+9t1

>>grishk+AP
The bank thing doesn't bother me, personally. I can circumvent such restrictions entirely by using a bank that has a physical branch near me, and doing my business in person.

replies(1): >>grishk+6m1

>>JohnFe+ug1
Or by using the website... oh wait.

From what I gather it depends a lot on the country, but in some countries, including Russia where I'm from, money transfers are done through your bank's app. You probably won't go to a branch to send someone $15 for pizzas they ordered at a party or something. Your only option would be to carry cash for such occasions.

replies(1): >>JohnFe+qo1

>>grishk+6m1
> Your only option would be to carry cash for such occasions.

I'm in the US, but this is exactly what I do. I don't think I've ever actually used a banking app to send a small payment to someone for things like this, nor has anyone tried to use an app to send money to me. Cash is king.

(I fully understand that not everyone can or wants to handle payments this way. I'm just saying what works for me. I have no banking apps on my phone at all.)

>>JohnFe+Wf1
Can you give me an example?

A computer without TPM, a "management engine", an Ethernet card with real Firmware in a real ROM, no platform controller, nothing.

...and a completely open BIOS w/o any binary blobs, and UEFI layer.

Almost a 486DX, almost.

replies(1): >>JohnFe+Uk2

>>bayind+9t1
I don't have the models memorized and I'm not at home to check, but I recently bought four towers that don't have TPM or a management engine and allow you to disable UEFI. They're not new, true, but they're certainly not 486 level.

> an Ethernet card with real Firmware in a real ROM, no platform controller, nothing. ...and a completely open BIOS w/o any binary blobs

None of which I was talking about. But I am pretty sure that with any motherboard, you can disable onboard Ethernet and install whatever adapter you want instead.