Comment by codedokode
4 months ago
The purpose of secure enclave is to prevent administrator from accessing the data. I don't want anyone doing "confidential computing" on my devices. I am the person which can be trusted so there is no need to hide the encryption keys from me.
Agreed. We need legally enforceable standards granting owners full control of their devices.
But also: TPMs could be used to prevent evil maid attacks and to make it uneconomical for thieves who stole your device to also steal your data. It makes it possible for devices to remotely attest to their owners that the OS has not been compromised, which is relevant to enterprise IT environments. There are a lot of good uses for this technology, we just need to solve the political problems of aggressive copyright, TIVOization, etc.
> The purpose of secure enclave is to prevent administrator from accessing the data
Not only, it has many purposes. I'm also the administrator of my computer, and some things I want to be unchangable by software, unless I myself unlock it, like I don't want anyone to be able to boot or install other OSes than the ones I've installed myself. The secure enclave and secure boot is perfect for this, even if my computer gets malware they won't be able to access it, and even if someone gets physical access to my computer, they won't be able to boot their OS from a USB.
The false assumption in your argument IMHO is the assumption that none of the software on your device will ever betray you or contain an exploitable security hole. In actuality, it is useful from time to time to be able to run software you cannot completely trust such that the software cannot access all the data on the device (because the untrusted software cannot access your enclave).
That's why you run that software as its own untrusted user and perhaps run it with some kind of sandbox. It's not a reason for you the owner to not have root access at all.
Running each app as its own untrusted user is one of the measures taken by Android, but the designers of Android do not consider that enough, so they also sandbox the app with selinux, but no one has implemented sandboxing an app with selinux on any non-Android non-ChromeOS Linux distro.
In general, non-Android non-ChromeOS Linux is not good at this sort of thing: half a dozen sandboxing frameworks exist, but none of them are particularly secure.
Also, suppose you want to load an obscure kernel module that reads an obscure filesystem format. How do you sandbox the module?
4 replies →
But I do want to secure my encryption keys on my device from someone who steals my device.
Any feature controlled by the owner of the computer is good; features controlled by anyone else like the manufacturer can be bad. And note that in this viewpoint, leasing makes you temporary owner.