← Back to context

Comment by kqp

2 months ago

> what do you actually want?

Give me the ability to choose what I trust. “You can either trust Apple and nobody else, even yourself, or you can trust literally everybody” is obviously not a good faith implementation of this. Apple excels at steering the narrative with false conflation and false dichotomy, I’d also remind you of the came-and-went secure boot debate, which Apple successfully steered into Apple owns the encryption keys vs no encryption, and people just kind of forgot to ask, wait, why can’t I have the keys to my device?

Exactly, Apple is making this a black and white choice on purpose. To make it unattractive to bypass them, and introduce legitimate security concerns if you do so. But those don't have to exist if the options were more fine-grained.

The same with SIP (system integrity protection). You can turn it off but then you have to turn it all off.

There's no way to keep secure boot but bless your own changes and sign them in some way, that you have approved. You know, as the owner and admin of your own computer. It's either leave it to Apple or be completely on your own. And to make the choice even more uncomfortable they also disable some features like running iOS apps.

I think you should read up on how secure boot works with macOS and alternate operating systems before speaking this negatively about the implementation. Apple is already giving you exactly what you’re asking for.

It’s not really even that different than a PC motherboard that gives you “Windows UEFI” and “enroll my own keys” as options.

https://asahilinux.org/docs/platform/security/

As far as code signing, again, what do you want Apple to do here? They already gave you a master switch to turn it off. You are free to turn it off then implement your own third party code signing solution if you’d rather choose who you trust. It’s not Apple’s fault if nobody else decided to make their own trust repositories and the only alternative on the market is to have no safeguard at all.

And let’s not forget who Apple markets their computers to. These features aren’t for you and me, they’re for the non-technical customers who will absolutely get pwned by unsigned code. Go to the MacBook Neo marketing page and try to find a single image of someone writing code or even being gainfully employed.

  • This is that false dichotomy.

    You can turn off all protection, as you point out. So who Apple markets Neo's to isn't a factor.

    > Apple’s fault if nobody else decided to make their own trust repositories and the only alternative on the market is to have no safeguard at all.

    Does Apple provide a means for enabling third party trust systems, without disabling Apple's protections in general? If not, that is a serious problem of Apple's choosing. Nobody (to a first order approximation) want's to dispense with Apple's protection, or re-implement it, but to be able to carve out exceptions for specific classes of software.

    • If you can enable a third party trust system you completely open it up for abuse. If I put my threat actor hat on, I love your idea because now I have an alternative codepath to try and exploit (where you do store third-party trusted roots for code-signing/notarization evaluations that cannot be tampered with, how do you load them, verify them, etc), but now instead of having to dance around bypassing Gatekeeper, I can just try and convince the user to install my certificates and voila, my malware behaves like a legitimate app.

      Apple's root of trust for the OS and thus anything that passes AMFI/Gatekeeper scans is built into the hardware. There is no safe mechanism for introducing other roots of trust that is worth the effort.

      If you don't trust Apple, why the hell are you buying their computers at all?

      3 replies →

> I’d also remind you of the came-and-went secure boot debate, which Apple successfully steered into Apple owns the encryption keys vs no encryption, and people just kind of forgot to ask, wait, why can’t I have the keys to my device?

The Asahi Linux folks are building their own SecureBoot chain[1].

I guess you could argue they shouldn't have to do that. But it feels reasonable to me that that the party you're trusting should be the one who builds the trust chain.

1: https://asahilinux.org/docs/platform/open-os-interop/#m1n1

I don’t disagree with your post but I’m still unclear on how you envision gatekeeper should work.

You want the ability to choose a different “authorities” that verify and sign binaries? That makes sense to me but is unlikely to relieve any of the issues in the post.

Also what do you mean by “even yourself?” What would that option look like?

  • You could like, just trust a single binary. Have a button right there in the popup that already shows up.

    • Maybe “Gatekeeper Light” hidden under advanced settings would satisfy everyday users + the technical crowd

      For plenty of users, a button right there in the popup is almost the same as no Gatekeeper for most scenarios, but if we can handle it why not let us

I want the ability to run any linux distro on my macbook, like I can with any other computer that is not a macbook.

  • Macs have enough open firmware to allow you to run any OS that you want. Linux Asahi only supports a certain subset of modern Mac HW, if you want to speed up development you should probably contribute to that project.

  • The Asahi team does upstream their work, so eventually this will be possible with the M1 Macs. But it's an uphill battle because it's a reverse engineering effort on undocumented hardware that has a different separation of duties between firmware, hardware, and operating system than other systems that Linux already supports. It's a wonderful project, but if you want timely Linux support, you have to buy from a vendor whose chipset makers more proactively cooperate with Linux kernel developers.

    It would be wonderful if Apple shipped the Asahi team a bunch of docs hardware, and commissioned them to complete+productionize support for every single Apple Silicon Mac released up until now plus the upcoming gen. If they did that, maybe in one year support would be great and in two or three years, you coule use any distro you liked and get full support.

    But that's not really who Apple is or how they position themselves in the market afaict. This wish is sadly barking up the wrong tree.

  • Easy, don't buy Apple, I don't.

    Apple computers that I use are project assignments.