Comment by mjg59
4 years ago
All Microsoft need to do to block other operating systems from PCs is change their policy around secure boot. All they need to do to prevent unsigned apps from running is change the default behaviour of Windows. The code exists. It's deployed. It's commonly available.
Yup, it's that close. I'm honestly happy there's an outrage ahead of releases of chips like that. Some systems did get secureboot locked down. Maybe we get the policy we got exactly because people are still outraged.
I'll take that any day over ms+Intel releasing a t2-equivalent + SB combo as required in all new certified laptops and people realising too late.
They need to boil the frog slowly enough that most people won't realise until it's too late.
I don't think that analogy works here, since the things we're worried about are binary states. Either you can run arbitrary software, or you can not, etc.
Perhaps a better analogy then is securing the noose around the neck of the prisoner, but not yet releasing the trapdoor.
1 reply →
Pluton will likely close OEM/firmware security holes that could be used to escape such policy.
Via what mechanisms? Nothing we currently know about Pluton would enable it to do anything like that, as far as I can tell.
not much detail, but slide 12 claims: https://www.platformsecuritysummit.com/2019/speaker/seay/PSE...
> Pluton validates and boots Security Monitor
> Security Monitor validates and boots the Linux Kernel
> Application Signatures are verified by SM and Pluton before Linux Kernel loads an application
1 reply →