Most active commenters

    ←back to thread

    The Dangers of Microsoft Pluton

    (gabrielsieben.tech)
    733 points gjsman-1000 | 21 comments | 26 Jul 22 03:46 UTC | HN request time: 1.736s | source | bottom
    Show context
    metadat ◴[26 Jul 22 03:50 UTC] No.32234045[source]
    Ew. Why are all the chip manufacturers going along with this stupid plan? I want to buy a processor and then own it and have it work in my best interests, not consume electricity and generatie heat enforcing draconian 3rd party DRM policies.
    replies(12): >>32234130 #>>32234281 #>>32234326 #>>32234400 #>>32234486 #>>32234981 #>>32235753 #>>32235848 #>>32236170 #>>32236808 #>>32237073 #>>32240665 #
    1. Analemma_ ◴[26 Jul 22 05:10 UTC] No.32234486[source]
    The conspiratorial answers here are emotionally satisfying, but ultimately wrong. The reason chip makers and OS vendors are adding this is customer demand, by which I mean enterprises. Companies want remote attestation and guaranteed-immutable OS images on their networks, and I honestly can't say I blame them. In a perfect world they could have it and we could somehow firewall it away from the consumer space entirely, but that's not going to happen.
    replies(5): >>32234561 #>>32234804 #>>32234879 #>>32237705 #>>32261846 #
    2. walterbell ◴[26 Jul 22 05:21 UTC] No.32234561[source]
    On-premise, open-source, customer-owned remote attestation servers are possible. Avoid outsourcing integrity verification to 3rd-party clouds.
    replies(3): >>32234573 #>>32234629 #>>32235239 #
    3. ◴[26 Jul 22 05:23 UTC] No.32234573[source]
    4. wmf ◴[26 Jul 22 05:30 UTC] No.32234629[source]
    The same enterprises asking for this stuff are also asking for it to be taken out of their hands because they don't trust themselves to operate it securely or reliably.
    replies(1): >>32234737 #
    5. pmontra ◴[26 Jul 22 05:49 UTC] No.32234737{3}[source]
    So this turns into security theater because ultimately they can't trust those third parties too.
    replies(4): >>32234813 #>>32234878 #>>32237183 #>>32241268 #
    6. intelVISA ◴[26 Jul 22 05:58 UTC] No.32234804[source]
    I don't really care for the reason, why can't we as consumers opt out if it's consumer oriented then? For me it's not even about the egregious security and privacy implications -- I just simply want the (illusion of) choice w/r/t silicon rootkit 'features' that I'll never use.
    replies(1): >>32235295 #
    7. LtWorf ◴[26 Jul 22 05:59 UTC] No.32234813{4}[source]
    They don't care about security, they just want proof that they did what they could when disaster happens.
    8. uw_rob ◴[26 Jul 22 06:07 UTC] No.32234878{4}[source]
    When it comes to security someone must always sleep with one eye open - co-owning this responsibility is totally reasonable. Microsoft takes security seriously and is investing heavily in it; if they are already in your orgs trust boundaries I see no reason why they wouldn't be considered good stewards for this as well.

    Besides, at enterprise scale, how do you trust internal teams? It could all be security theater and they aren't delivering on their promises as well.

    replies(1): >>32235285 #
    9. selfhoster11 ◴[26 Jul 22 06:08 UTC] No.32234879[source]
    Good, if companies want those features, then they can be the ones to pay the price in privacy. Otherwise, let me set an OTP bit to disable all Management Engine kinds of functionality on the CPU permanently.
    10. p_l ◴[26 Jul 22 07:01 UTC] No.32235239[source]
    Yes, they are possible... And they are implemented using all the evil things like Secure Boot, TPM, and Pluton.

    MS remote attestation doesn't require remote cloud or anything like that, I recall it supporting air-gapped environment from the start (guess why, the top-price enterprise clients want that, including resigning windows with their own secure boot keys).

    Disclaimer: for various reasons open source remote attestation in corporate is currently on my roadmap at work

    replies(1): >>32235593 #
    11. sofixa ◴[26 Jul 22 07:07 UTC] No.32235285{5}[source]
    > Microsoft takes security seriously and is investing heavily in it

    Some parts of it maybe do. Some others, like multiple different Azure teams, don't even think about anything resembling security, or there wouldn't have been multiple critical and trivially exploitable security vulnerabilities on Azure in the last year only. (If you don't know them, please read up on them. Security is hard, but in those cases nobody even pretended to try!)

    12. sofixa ◴[26 Jul 22 07:08 UTC] No.32235295[source]
    You can, it even says in the article that Lenovo and Dell are shipping with the Pluton chips disabled by default. If they can do it, a user can disable it to (for now at least).
    replies(2): >>32235606 #>>32236950 #
    13. fsflover ◴[26 Jul 22 08:03 UTC] No.32235593{3}[source]
    > And they are implemented using all the evil things like Secure Boot, TPM, and Pluton.

    There is nothing evil with TPM when you fully control it. See: Librem Key.

    replies(1): >>32235714 #
    14. fsflover ◴[26 Jul 22 08:05 UTC] No.32235606{3}[source]
    Proprietary software with full system access tells that it's disabled. Do you trust that?
    15. p_l ◴[26 Jul 22 08:24 UTC] No.32235714{4}[source]
    You either don't remember or wasn't there when TPMs were first talked about, in either case I envy you then.

    And yes, there's nothing evil involved if they are owner controlled, something that honestly was heavily Microsoft pushed because they do have clients that insist on them - the DRM functionality in intel ME has keys controlled by broadcasting associations instead (this is why you can't stream HQ on Linux from official sources), same with part of why AMD PSP got some uncontrolled bits (the blackmail goes that if you don't do that, customers will quickly find they can't stream netflix/whatever in high quality on your hw and will stop buying it).

    Personally I believe that owner-control of hw should be enshrined in law, just like right to repair and modify, along with laws against deceptive "looks and quacks like a sale, is actually a lease" practices

    replies(1): >>32235748 #
    16. walterbell ◴[26 Jul 22 08:29 UTC] No.32235748{5}[source]
    > owner-control of hw should be enshrined in law

    Have you seen OCP's Caliptra RoT, which requires OSS firmware, enforced by dual-signing of firmware by both OEM and owner? Currently for hyper-scalers, but this approach can be adopted by other enterprise customers, https://www.youtube.com/watch?v=p9PlCm4tLb8. Attestation will be done to Caliptra, which can then release SoC boot ROM from reset.

    17. intelVISA ◴[26 Jul 22 11:41 UTC] No.32236950{3}[source]
    the same Lenovo that put a MITM attack in people's BIOS?
    18. autoexec ◴[26 Jul 22 12:09 UTC] No.32237183{4}[source]
    I'm frankly already appalled by how much data (proprietary data, customer data, employee data, etc) companies are fine leaking to 3rd parties, MS especially. Even if you assume that Microsoft could never ever possibly be hacked, or would never favor one of your competitors enough to hand them your data, Microsoft's MO has often been basically stealing other people's work/ideas and stomping out or absorbing the people they took it from. The data they get from outlook alone must be worth a fortune, but with everything the OS collects these days it's insane how little anyone cares.
    19. fithisux ◴[26 Jul 22 13:05 UTC] No.32237705[source]
    Enterprises can put whatever they like on their devices. Not mine. So this argument falls apart.
    20. notriddle ◴[26 Jul 22 17:35 UTC] No.32241268{4}[source]
    You're thinking about companies as monoliths. They are groups of people.

    The managers who want remote attestation aren't the people implementing it. They either pay someone else to do it, or they pay someone else to do it. The difference between paying a third-party company and an employee is that employees are more expensive, because the costs aren't amortized over other customers who want the same stuff. Why would they be more trustworthy? Why would they be better at it? Why would it be any less likely to be hacked if you did it at your company than if you outsourced it?

    21. synapse26 ◴[28 Jul 22 08:47 UTC] No.32261846[source]
    Haven’t looked at the Intel space, but doesn’t AMD have an “PRO” tier available for OEM only? Ryzen Pro, Threadripper Pro… Or Nvidia and their segmented RTX/GTX vs Quadro. These hardware companies love segmentation, let them have it, do that for PRO enterprise only, leave my personal use, no remote attestation, immutable OS needed PC alone.