Well, if you want to distrust Apple software you probably shouldn't be trusting their hardware, either.
That being said, I actually think this is a reasonable way to do secure boot. The default OS the device ships with can be validated, but there's still a proper owner override so you can boot into Linux or whatever. They even use the SEP to validate that the owner override has been tripped by the owner. The first user account you make gets handed a key generated by the SEP that can be used to sign kernels, so only that account can actually use the owner override. This is a good way to stop evil-maid attacks in their tracks while still not locking the user out of their property.
My only real complaint is that Apple's gone to great lengths to ensure the iOS side of their business is completely unaffected by owner overrides:
- If you boot into an owner-signed OS volume, macOS disables it's iOS support
- iPad-fused M1s won't generate or respect owner keys
This is silly. If individual iOS applications are sensitive to owner overrides, then they already have devicecheck APIs to get a cryptographic attestation that they haven't been tampered with. The SEP could flag those attestations as coming from an owner-signed kernel and picky banking apps[0] could check for that.
[0] And Pokemon GO, because it's easier to blacklist jailbroken users than to enforce a rate limit on GPS jumps
For the record, I'm in favor of legal mandate that hardware owners have the buy-time option to enable adding their own keys to any root trust stores on their devices. However, that'd be in addition to Apple's keys and wouldn't be about the security of Apple's keys, because Apple is part of the fundamental trust foundation if you buy a Mac or iDevice. Period. The devices are massively vertically integrated, right down to the core silicon which is completely custom. Apple has absolutely unfettered ultimate low level access opportunity up and down the stack. If you completely don't trust Apple, then you absolutely should not use their hardware at all. So some level "trust Apple" is simply a security axiom on this platform.
And they've shown that to be not unreasonable at least when it comes something like root private keys. Fact is they've been operating for a long time now and like the rest of the big players that hasn't been a leak issue. It's not that big a deal for a big player to physically secure such things to a high enough degree that it's unlikely to be a limiting factor. Dedicated rooms, full offline, hardware backed Shamir's secret sharing for m-of-n key signing ritual requirements etc etc.
>If you completely don't trust Apple, then you absolutely should not use their hardware at all. So some level "trust Apple" is simply a security axiom on this platform.
It is not about trusting Apple or any other company for that matter. It is about tendency and attempt to make it a norm/legalize to sell personal computers without respecting right of the owner to have a full control over their own computer. If owner cannot fully control own computer this computer cannot be called 'personal' anymore.
This practice needs a push back as it completely unacceptable. It should be made illegal to sell such devices if that is not already the case because you can be left without working computer just because link to the company isn't available for some reason.
Company goes away and you are left without a working computer. Internet isn't available and you have brick instead of your computer. This is crazy and even more crazy that there are bunch of people brainwashed enough to the level that they do not even perceive it as a problem. Probably because they can't think 3 steps forward.
We’re talking about Apple, one of the most valuable companies in the world, sat on over $100bn in cash just “going away”, in what, the lifetime of a laptop? For me that’s 3-5 years, for others maybe 10. That’s an absurd premise. The probability of that is so close to zero it doesn’t bear consideration.
What if it's broken by legislators and the pieces are named something differently. Want to bet no apple.com links get broken? And their certificates?
The point is, if I want to buy a personal computer and stuff it in the closet for 50 years to use later, that's between me and the creator. Not Tim Cook.
> It is about tendency and attempt to make it a norm/legalize to sell personal computers without respecting right of the owner to have a full control over their own computer. If owner cannot fully control own computer this computer cannot be called 'personal' anymore.
I have bad news about Intel CPUs.
>[Intel] processors are running a closed-source variation of the open-source MINIX 3. We don't know exactly what version or how it's been modified since we don't have the source code. We do know that with it there Neither Linux nor any other operating system have final control of the x86 platform.
And this isn't the case on M1 machines. On M1s, all blobs that remain after you launch Linux are sandboxed behind IOMMUs, so they cannot take over the system. Ignoring hardware backdoors (which you can never be sure don't exist, on any system), you can be reasonable confident that an M1 system doesn't have a (functional) backdoor running while you're running your own OS on it. Very few systems have this property; mostly only fully open boot systems like the Pinebook or Talos workstations. ~No x86 system does, not even the ones running Libreboot since they almost always have hardware with full DMA access running blobs.
The full control of devices you own is absolutely essential. It requires a complete transparency of basic components like cpu micro-code, firmware and hardware otherwise it can and will be abused.[0]
.. unless everything is absolutely transparent including microcode and hardware it is not acceptable as freedom respecting solution.[1]
then I've got unexpected opposition from the one who is making linux for M1 ( marcan_42). If even him fail to understand the consequences of accepting such hostage situation with Apple devices and claim "Freedom isn't the answer." [2]. If even he is ready to downgrade discussion to the personal disrespect toward people like me [3] who merely trying to point out the the danger of the hostage situation while go 'easy' on Apple and ready to justify all of their current mistakes then we have a serious problem. I do not wish to use the term "doomed" but probably we observe limited ability of highly technical minds to resist to the primitive brainwashing and manipulation the big companies provide by presenting it as a norm to trade 'freedom' for the 'safety' . Some people can't even think a few steps forward and understand that by helping companies to promote such agenda we'll end up with loosing both 'safety' and 'freedom'.
I love how every time you bring this up you link every post except the one where you compared Apple to a dictatorship, then went on to insult every user who chooses their hardware over others.
I'm happy to debate the pros and cons to different security approaches, and I want every prospective buyer of these machines to be informed about the decisions and trade-offs that went into their deaign, and what to expect. I'm not interested in debating someone who immediately dismisses all technical discussion and just invokes references to authoritarianism, brings up boiling frogs with no evidence, immediately dismisses my arguments as wrong and assumes they need correction, and ends with ad hominem attacks.
As I said, go buy a Pinebook and please leave the rest of us alone. We're trying to give the users of these machines choice. You're trying to take away our choice to use them through moral arguments.
marcan seems to be part of a new breed of hacker, less interested in the "why" we do it and more interested in the "how" of it. Works pretty well for tackling a challenge like blindly picking at a black-box ISA/SIP, but I don't think his project has the kind of ideological understanding that keeps the libre desktop alive. Getting it to work is one thing; building a community to maintain your work is another.
Unfortunately, that's going to constitute a lot of the people you encounter these days. Half-measures are better than no-measures, but I really do miss the days of vigilant software development instead of cleaning up Apple's scraps.
You're not giving Hector Marcan enough credit. He was on Team Twiizers and fail0verflow; groups that did a lot of hacking to open up closed systems. It's not like he's unaware of the customer abuse that happens in the proprietary world.
The "look beyond freedom" quote probably should also be looked at with the context that he's talking about the FSF, which has an odd habit of being extremely absolutist in ways that actually hurt the user. Like, they'll point out that Wi-Fi cards with proprietary firmware are bad, but then endorse very similar hardware where the firmware blob is in ROM or some features are lasered off just to conform to the "proprietary ROMs don't count" rule. Marcan is arguing for creating a gradual sliding scale of "proprietary, user-hostile, and/or insecure" to "Free, user-respecting, and/or secure" and then looking at the trade-offs between them, rather than just creating a really high bar based on what made sense in the late 1980s and sticking to it forever.
> less interested in the "why" we do it and more interested in the "how" of it.
I mean, to be honest, someone only knowing “whys” alone is kind of disappointing — especially combined with the often seen narcissism of developers and you get someone who does not understand the problem domain spewing bullshit about it with confidence. We can see plenty of examples to that under any firefox, wayland or systemd threads.
I agree it's "your own device", but Apple's EULA makes it really clear it's only your own device insofar as you can choose to destroy it. They retain a residual right over the hardware, a partial ownership if you will, when it comes to what software is on it. You aren't buying hardware. You're buying an experience. You don't have the right to experience arbitrary software running on it, even if you trust it.
It's one of the reasons I'm not using Apple products anymore.
Apple's EULA explicitly allows you to replace the open source components of the OS with your own. One such open source component is the XNU kernel itself. This is what allows Asahi Linux to exist not just technically, but also in full compliance with Apple's EULA.
> hardware owners have the buy-time option to enable adding their own keys to any root trust stores on their devices
Would you really be more comfortable knowing that your hardware vendor had the capability to produce machines with a low-level, unremoveable backdoor? I'm not sure I would. A feature like that can be used against users more easily than it can be used by those users.
>Would you really be more comfortable knowing that your hardware vendor had the capability to produce machines with a low-level, unremoveable backdoor?
What? They do. Apple absolutely has the capability to build any or all machines with low-level unremoveable backdoors, like, in the freaking processor if they wanted. I'm not clear on what your issue is here. The current state of affairs is that for devices like the iPhone, the manufacturer can setup a secure software tree where the root of trust contains only their keys. And for many (if not most) of their customers that's a good thing, because in their threat model running their own arbitrary code is of lower utility and much higher risk then getting social engineered into bypassing key protections or the like. There is important power in grouping together buying decisions in an unbypassable way, it's why the likes of Facebook for example cannot insist on bypassing iOS privacy protections. They can't pick people off, because people literally do not have the choice. Facebook must deal with Apple for the ~97% (or whatever it is who don't/can't jailbreak) majority of users.
However there are real issues with that too for a sizable number of owners. So all I want is that there be an option at purchase time which allows owners to load their own root keys. The whole chain of trust infrastructure is still there, but technical users or those with specific needs can then run their own (and still be better off). Making it buy-time means that users who want to ensure they cannot be compelled later can still do that too. Nobody loses.
A feature like that can be used against users more easily than it can be used by those users.
How? Most people will stick with defaults, and I'd be ok with Apple or whomever qualifying an open device with reduced software support or some small charge for example too. And once it's been sold, it's the same as currently. I think that's a reasonable tradeoff.
You're missing my point. What I'm saying is that, as things currently stand, all of the CPUs that Apple ships in products are functionally identical -- all of them share the same root of trust in ROM (afaik?), and it would take a significant effort for Apple to produce devices which differ from that specification.
> How? Most people will stick with defaults
By having an attacker deliver a system to a user with a custom root of trust -- which could mean anything from a state-sponsored attacker to an abusive partner.
The OP statement was about insecurity that comes with signing code with anyone other than the owner.
It doesn't matter how secure communication between Apple and Apple device because even if it's perfect the owner is not secured from the Apple itself and those who Apple would love to communicate with. For instance oppressive governments. (here the result of such communication: blocked app that oppresive government didn't like https://apps.apple.com/us/app/%D0%BD%D0%B0%D0%B2%D0%B0%D0%BB...)
It really depends on the threat you are planing against. If for some reason I'm target of US government - I'm screwed anyway. If my concern is trusting the laptop after I left it in train station and got it back from some random dude - it's good enough.
>It really depends on the threat you are planing against.
What about oppressive let's say Russian government while you travel let's say in Ukraine and then occupation occurs. Not a fantastic scenario by the way ...
It really doesn't depend on the threat at all. It's about the model of the society you wish to have and what values you promote.
It's about who you wish to be responsible : the 'big company' caring about your safety and taking your freedom on the way or you caring yourself about own safety and preserving freedom on the way. I do not really think there is a choice here because the first option will always be abused at some point.
Freedom does matter and it comes with responsibility. THIS is the main issue here. THIS is what separates society with responsible citizens from the society with 'irresponsible people' who wish to trade their freedom for 'safety' resulting in loosing both (and democracy itself after some time).
All sentiments like this one and those similar to it elide the facts that 1) we’ve tried relying on “user responsibility” before, and excusing the comically bad outcomes through victim blaming doesn’t change them; and 2) we didn’t get together and vote Apple the only manufacturer of computers.
If you don’t like their model, choose someone else. Why should average users who would otherwise be served perfectly well by Apple’s solution be required to be “responsible” for some subset of personal security you think denotes a “responsible” citizen from an “irresponsible” one?
>If you don’t like their model, choose someone else.
Many follow their example and without push back there will be no someone else because average users my not understand consequences unless they are educated by people who do understand them. Like with many other areas requiring certain level of expertise to understand consequences of certain desicions.
> we’ve tried relying on “user responsibility” before,
>Why should average users who would otherwise be served perfectly well by Apple’s solution be required to be “responsible”
Do you believe in choice? If you do then average users should have a choice whether to rely on Apple or switch such functionality off. Without having such choice people become less and less responsible. You can say they choose by buying such machines but I do not think this could be qualified as a choice just like accepting EULA. It's not really a choice.
User responsibility and device safety are not mutually exclusive. You can keep the iPhone exactly as-is and add a developer mode that would pretty much shut up every nerd this side of the Mississippi.
Which is exactly what they did with M1 (add a developer mode that doesn't put their normal users at risk by allowing for persistent supply chain compromise attacks), but it doesn't seem to be enough to make some people happy...
To be fair to the other side of the argument, I think people are mostly upset about the iPhone. There's an implicit fear (which I don't agree with!) that if Apple is so insistent on keeping the iPhone locked down, that must be their ultimate goal for their other platforms as well.
I think if Apple was to add a developer mode to the iPhone, 99% of people would actually shut up.
How about much simpler scenario, no threat at all. Just dumb bug in software that puts your computer in DFU mode that says, please connect it to another Mac. Nice isn't it? And then you should run and find 'another mac'. What if there are no other macs around? What if you travel and have no connection to the internet or it's limited ? This is not a hypothetical situation, this is exactly what have happened in my case. And then you are stuck in the field without any way to recover your machine. Nice isn't it?
"When Apple's servers go down you lose the ability to do low-level recovery on these machines anyway, since DFU flashing requires phoning home to get a ticket for your machine as well as low-level configuration data"
> Just dumb bug in software that puts your computer in DFU mode that says, please connect it to another Mac. Nice isn't it? And then you should run and find 'another mac'.
If your fundamental firmware-stuff is screwed up on any platform, you are going to have a bad time. Being able to plug into an off-the-shelf machine and fix it, or to plug into another PC running special software, is much better than I'm accustomed to.
>If your fundamental firmware-stuff is screwed up on any platform
Sure I just have an impression after some googling that this DFU happens much more frequently then one would expect. Certainly I didn't expect it to happen in the first day after purchase but it did. So perhaps this pleasing 'much better' ability to fix it by just connecting it with another device that you probably do not possess(in my case) comes with another pleasure of having to do it more frequently. If that is the case then I really prefer the state to which you are accustomed to.
I have never had to deal with firmware on Apple hardware (excepting "zapping the PRAM" on classic Macs). I've had to deal with it dozens of times on other platforms.
We have 3 Apple Silicon based Macs in the house, and there's 4-5 others that I support. So far 0 incidents in about 3 device years. I don't think it's tremendously common like you imply.
In the same time period, I built two Ryzen machines, and had to swap in older processors to run BIOS updates on each, and the laptops in my wife's classroom all decided to take themselves out of service for an hour one day to do BIOS updates that were delivered by Windows update and then only triggered on the second reboot after update when we all thought we were safe.
I've bought one of every major M1 model for testing purposes and have done all kinds of crazy things to them, and the only time something weird happened was with the original firmware version where I managed to break recovery mode by messing with diskutil, but I was able to fix it from macOS without requiring a DFU flash. It's never happened again and I've done the same thing dozens of times, so I think that was some silly bug in the shipping firmware version that has long since been fixed. I never actually had to resort to DFU recovery (though I still tested it a bunch as part of improving support for it in idevicerestore).
Yes, if you don't have internet access you have a problem, but I'm personally happy enough with the benefits of this security model that I'm willing to accept the tradeoff.
The Mac has existed for 37 years and the iPhone for 15 of those and the Mac is still open to running whatever OS users choose. You really need to find an argument other than an unqualified "the future is doom and gloom" when after all this time that future hasn't come and the platform remains open.
>The Mac has existed for 37 years and the iPhone for 15 of those
So iPhone is closed for 15 years already and thus "the future is doom and gloom" is happening for 15 years already. The more important question is what will be next.
>You really need to find an argument other than an unqualified "the future is doom and gloom" when after all this time that future hasn't come and the platform remains open.
Argument can be qualified or unqualified depending on the topic. It is unclear which topic assumed here.
Additionally, many of these security measures are put in place to prevent that rootkits/malware can compromise the firmware, boot loader, or operating system.
How do you secure something when other's know the secret? There has to be some "secret" (aka key) that some definition of "you" only knows, that the system then tests against (hopefully via some kind of asymmetric system or hash).
> BoorishBears - What key is shared between you and the manufacturer here? There's signing keys and there's passcodes, which ones are you "not the only one with"?
because you don't even have the key? not sure where passcodes came from
That being said, I actually think this is a reasonable way to do secure boot. The default OS the device ships with can be validated, but there's still a proper owner override so you can boot into Linux or whatever. They even use the SEP to validate that the owner override has been tripped by the owner. The first user account you make gets handed a key generated by the SEP that can be used to sign kernels, so only that account can actually use the owner override. This is a good way to stop evil-maid attacks in their tracks while still not locking the user out of their property.
My only real complaint is that Apple's gone to great lengths to ensure the iOS side of their business is completely unaffected by owner overrides:
- If you boot into an owner-signed OS volume, macOS disables it's iOS support
- iPad-fused M1s won't generate or respect owner keys
This is silly. If individual iOS applications are sensitive to owner overrides, then they already have devicecheck APIs to get a cryptographic attestation that they haven't been tampered with. The SEP could flag those attestations as coming from an owner-signed kernel and picky banking apps[0] could check for that.
[0] And Pokemon GO, because it's easier to blacklist jailbroken users than to enforce a rate limit on GPS jumps