← Back to context

Comment by tapoxi

21 hours ago

No, just have the anti-cheat trust kernels signed by the major Linux vendors and use secure boot with remote attestation. Remote attestation can't be fooled from kernel space, that's the entire point of the technology.

That way you could use an official kernel from Fedora, Ubuntu, Debian, Arch etc. A custom one wouldn't be supported but that's significantly better than blocking things universally.

10 comments

tapoxi

Reply
digiown  21 hours ago

You can't implement remote attestation without a full chain of exploits (from the perspective of the user). Remote attestation works on Android because there is dedicated hardware to directly establish communication with Google's servers that runs independent (as a backchannel). There is no such hardware in PCs. Software based attestation is easily fooled on previous Android/Linux.

  • tapoxi  21 hours ago

    The call asks the TPM to display the signed boot chain, you can't fake that because it wouldnt be cryptographically valid. The TPM is that independent hardware.

    • digiown  21 hours ago

      How would that be implemented? I'd be curious to know.

      I'm not aware that a TPM is capable of hiding a key without the OS being able to access/unseal it at some point. It can display a signed boot chain but what would it be signed with?

      If it's not signed with a key out of the reach of the system, you can always implement a fake driver pretty easily to spoof it.

      7 replies →