Comment by marcodiego
4 years ago
Will this allow my computer, in the future, to be as locked as current smartphones? Will this allow software to refuse to run or services to refuse to work depending on third party software I have installed?
4 years ago
Will this allow my computer, in the future, to be as locked as current smartphones? Will this allow software to refuse to run or services to refuse to work depending on third party software I have installed?
"Secure boot" and "remote attestation" are complementary features.
Specifically secure boot is what makes it so that "your" computer is unwilling to run software that has not been approved by the company that made it. This has existed for quite some time, and is responsible for the locked down mobile ecosystem as well as the inability to remove the Intel ME and AMD PSP embedded malware from recent PCs.
Remote attestation has not been widely implemented yet, but will make it so that remote services refuse to work unless you are running only software that the service approves of. I'm not sure how much Pluton moves the needle forward, but any amount is not good. If remote attestation comes into full effect, many websites will only be usable on newer computers and websites will be able to forcibly disable software the website finds objectionable, like say Adblock.
>I'm not sure how much Pluton moves the needle forward
A lot. They only need to wait for Pluton enabled PCs to reach critical mass. Compared to TPM's, Pluton is inside the chip thus not vulnerable to bus tampering and is not a standard but a "product", meaning Microsoft will have the ability to make changes without intervention from other companies.
Everything needed to lock down your computer as much as a phone already exists, there's no need for a TPM or Pluton to do so.
We want there to be less ways of doing that. The fact that one way already exists doesn't mean that we should be okay with more. The desired end goal is that eventually there's zero ways to do this, and we'll never get there if we keep moving in the wrong direction and justify it by not already being there.
There's a huge difference between "exists" and "is now commonly available and made easier to use". The frog-boiling is slow, but an increasingly large number of us are becoming aware of this new rise of corporate authoritarianism, and we know how it will end if we do not fight it as hard as we can.
All Microsoft need to do to block other operating systems from PCs is change their policy around secure boot. All they need to do to prevent unsigned apps from running is change the default behaviour of Windows. The code exists. It's deployed. It's commonly available.
9 replies →
...no? How would MS force me to install an AGESA update that supposedly restricts me in booting unsigned code? That's where the newly announced remote attestation comes in.
On the other hand, on PCs with Pluton chips they can change their minds any second.
The described functionality of Pluton doesn't allow it to prevent you from booting unsigned code. Your system firmware would need to ask Pluton for permission, and if it doesn't do so then no number of Pluton firmware updates is going to make it able to prevent that.
1 reply →