Remote attestation is the true enemy of your freedom. The power of the authoritarian corporatocracy to force you to use only the (entire) systems they control. It's worth reading https://www.gnu.org/philosophy/right-to-read.en.html again just to see how prescient Stallman was.
RA is a technology that has its fair use, and can be desired for other systems, like in Linux. With a pure RA system your services can decide to trust or not those devices on your network that can be compromised, and report to other devices that there is something suspicious.
As anything, this can be used properly to increase the security of your edge architecture, or wrongly to limit the users actions.
Let me put another example. With RA I should be able to authorize validated systems in my R&D VPN. If you are using your own laptop with the company certificate, and the verifier tag the systems as "unknown" or "unhealthy", it will not allow the access to the internal network, but sure you can still use your laptop for anything else. This, IMHO, is a fair use of this technology.
I write some notes[3] about how to use it in openSUSE MicroOS / Tumbleweed, but can be extrapolated to many other distributions too.
[1] https://github.com/keylime/keylime [2] https://github.com/keylime/rust-keylime [3] https://en.opensuse.org/Portal:MicroOS/RemoteAttestation
Of course, the system for it is rudimentary, and puts a disproportionate amount of control in the hands of providers. And that works very well for them too.
The software you boot sets up some state and then toggles a bit, and after that something can't be changed. The state is secure against much modification after that time, but not before that time.
The "you" that boots the device are in control, and the "you" that uses the device after that have exactly what "you" set up at boot time, neither more nor less. If both "you" are the same person, then there's no loss of control.
But of course they're often not really the same person. If you want to boot a Microsoft-signed image, the party that boots is more or less Microsoft, not you personally. But in that case, you also want to use that Microsoft-signed OS, right? So the shift towards boot-time control is then a shift from mostly-Microsoft use-time control to mostly-Microsoft boot-time control. Mostly Microsoft here, mostly Microsoft there, even if the two mostlies aren't quite the same percentage it's difficult to regard this as a significant loss of control.
In this one... that's not what they'll be used for.
This is the end game for the corporate internet. Not only can all your activity be logged, but if any of it is unwelcome - on any scale, from family to school to work to country to world - you can be locked out.
Perhaps you mean that if you, as owner and legitimate user of a device, are able to perform a particular change only during a brief window of time rather than at any time of your choosing, then that limits your control over the device? If so, then my answer is yes, certainly it does. But it also limits the access of anyone who impersonates you (such as the evil exploity javascript I make your browser execute).
Choosing a party is not like choosing an OS for your PC, though. Choosing the OS would be like choosing the political system - and recognizing the incredible privilege I have by being born into a democracy, I very much wouldn't like other people to change it.
Going further into democracy, while you might put an X on a paper sometimes, still forbids a very high number of actions. I'd liken it to having the power of choosing between Apple's App Store and Google's Play Store for your phone. Which, getting back to the point, is safer for the users than installing any third party software. Like how in a well functioning democracy, I'm forbidden to do a great many things, but also I can feel safe in the thought that others have the same restrictions too.
The best progress we’ve seen in decades came from most people using locked-down phone operating systems, followed by stricter desktop OSes. If you don’t like that trajectory, you should be focused on how to get the benefits with other trade offs. One of the first steps is respecting people enough to understand their needs rather than calling them idiots.
At least that's how I managed to understand your comment to the best of my abilities, so hopefully I'm missing something. Though if there is such a something, the point did not get across successfully.
In theory, yes, you could implement it like you said, but that's not what happens in practice nor the direction we've been tending towards in recent times.
And it is a pretty terrible solution to the problem.
- It is also keeping the good guys outside too: Anyone that want to analyse and understand the security of the system for good reasons cannot. Excepted if explicitly allowed by the corporation X and that is a terrible security property.
- No root access also means very little control or ability to scan the system itself if your are not the X corporation controlling it. That means no possibility to mandate reviewer corporation Y to check that corporation X is doing the right thing. TPMs currently make that even worst by design, they are undocumented and complex, therefore rely on blind trust that company X do the rthe ight thing. And since the Intel management engine fiasco, we do know they are not doing the right thing.
- Bonzi Buddy and toolbar type of problem can be easily avoided by separating properly the normal user account from any admin account(the unix way). It should be painful to be admin but not impossible, just to make sure your grandma do not install a rootkit by mistake when she want her 20% coupon.
In summary: That is mainly bullshit from company X to keep full control on the entire user device, and not for their own good.
This makes sense to entities providing a service, and also for many who doesn't mind not having control over their something, which is, I think, very similar to how we don't really have control over a great many of things. This is the point I wanted to get across to the original commenter, who protested "god forbid you have control of your own PC?".
But it's the other way around, if you improve your old device by installing a up to date Android on your vendor-abandoned previously vulnerable device, you go from working banking to banned from banking.
For the pro market people want control. Pros also generally know a bit more about how to use that control and tend to be less likely to end up getting pwned immediately.
For regular users people just want shit that works. Not having control is a feature, because if you have control then the malware you are tricked into installing from "ɡeτflrêfox.com" also has control.
You can see it in the Apple ecosystem with iOS vs. macOS. Macs and iPads are now almost the same hardware. (The M chips are just A chips on 'roids.) But Macs can run other OSes and you can "sudo root." That's because Macs are for pros.
iPhone users are safer from malware, PC users are safer from governments and Apple controlling what they can do on their computer.
Never-ending balance between safety and freedom.
The computer that requires a physical switch to disable secure boot is a good compromise (see many Chromebooks)
> The "you" that boots the device are in control, and the "you" that uses the device after that have exactly what "you" set up at boot time, neither more nor less. If both "you" are the same person, then there's no loss of control.
How is it orthogonal? Okay, we're not strictly speaking of only bootloader locking, but of boot-time-control locking.
Regarding Bonzi Buddy, I disagree. I think user data is as important, if not more important, than root access - which is why I'm dumbfounded when ancient server security features, like Linux's sudo system, are applied to the consumer device like a PC or a smartphone. These contexts are much better server by a sandboxing, permission-based whatever that seems to pick up steam, like the current permission systems on smartphones. Grandma's logins and bank data will be stolen from her own user account just the same as an admin account. Related XKCD[1]
This is a very handwavey sentence and is doing far too much work in your reasoning. Yes, you don't have control "over a great many things", because the point is so vague so as to be meaningless. But it doesn't at all follow from that vague sentence that we should allow total corporate/government control over our personal digital devices.
In this case, the proposed cure is far worse than the disease.
I say let them be. As long as they also have the freedom to remove or not install such software, it's a good thing. Instead we have locked-down devices with the functional equivalent of such unwanted software, protected so that you cannot remove it without somehow getting root.
"Those who give up freedom for security deserve neither."
With my reasoning I wanted to capture what people might think, while accepting something that they have no control of. I have a hard time with this, because I got a PC in my formative years and I loved to tinker with it, and hated, and still do, everything that stood in the way of that. But the general population doesn't share this experience. And if I look at my own life, I only have this experience with computers (and smartphones), all the other things are, even if not centrally managed, out of my control. At the first wrong noise I have to call an expert who hopefully fixes it and is hopefully benevolent to me, because I have no clue what happens to the device I own. Or even my own body, now that I think about it. And so, the PC and the phone is just in a long list of things that people depend on, but not control.
The addendum being here, and what most people miss who feel the way I described above, is that our ever-connected devices make a "paper trail" unprecendented in history. And it can be centrally managed, activated, replayed, assembled, or even more tracking could be remotely controlled to an extent[0] - and to an even larger extent with a specialized application[1]. This is where the otherwise similar level of "not being controlled" can lead to a much worse situation than ever before. And I wish I could point this out empathetically to people without sounding like a lunatic.
[0] https://money.cnn.com/2014/06/06/technology/security/nsa-tur...
Do they deserve to not be able to shop online without fear of having their payment information stolen? Or mistyping a URL in their non native language and ending up at a scam website that installs malware? Or simply having a device that comes to a crawl such that they cannot reliably video call their grandkids?
And no, it's not smartphones' faults. Most people just don't "get" desktop OS paradigms, or how web pages work, or any of that, and they don't really care to.
That's because they "won't miss freedom they never had".
We’re not just talking about the freedom to run software on your own device here, we’re talking about interacting with outside systems. There is an important distinction in context.
As long as it adheres to basic web standards, I believe no, the bank should have no say in what browser you use to access their webpage.
The kernel could do the same with an in-kernel process. It wouldn't have quite the same depth of defense against userspace sandbox escapes, but could be done. That's roughly how /dev/random was implemented for many years.
Look at the APIs provided — it's nothing new. It's nothing OSes haven't provided before, it's just further removed from a Chrome/FF/Safari sandbox escape, because overcoming the write-once hardware toggles is harder than getting kernel read/write primitives for a sandbox privilege escalation.