Comment by Arch-TK
6 days ago
Unfortunately it's never going to happen.
Also, things like TPMs, Secure Boot, etc, are good security tools which can be used by an end user to get security guarantees over their device.
I use Secure Boot with Linux because, when done right, it means you can get full disk encryption without gaps (at best, without secure boot, you have an un-encrypted bootloader on a flash drive which decrypts your disk and boots your machine, and this is a clunky setup).
I use GrapheneOS's hardware attestation to alert me if something compromises my android phone's operating system.
Now it's true that these features are abused by companies like Google to force you to run a blessed Android build if you want to use e.g. Google Pay (which is the only mobile payment option in e.g. the UK). But it's important to separate the technology from the bad actors abusing it.
The difference is you using the tpm feature and anyone else using the tpm feature. The feature can exist as long as it's only there for you not for anyone else. You can satisfy yourself that no one has hacked your device. Your bank can not satisfy itself that they have ultimate control over your device instead of you.
The described mechanism doesn't say the hardware features can't assert the software features, only the other way around: the premise was merely that the software features need to be replaceable; in fact, this is exactly what you want, as it ensures that the mechanism in the hardware providing the secure boot feature is open source and it also ensures that the operating system you run is anything you want, rather than being locked into a specific choice by the maker of the hardware (or, if the people who make the hardware want to ship an OS with the hardware as if it were some kind of cohesive product, then that OS would also have to be open source and modifiable, which is how you can get a GrapheneOS in the first place).