Hacker News new | ask | show | jobs
by p_l 668 days ago
That was during MS early flirting with ARM based devices running normal windows kernel.

The "setup your own PK without vendor or even Microsoft keys" is part of Microsoft's offering for some big dollar clients in Enterprise, which is why it's included in certification these days.

And I mean using your own keys, not running without SecureBoot, which was the topic linked in the 2012 discussion.
1 comments
sounds 668 days ago
I think you're intentionally obscuring the difference between:

(1) A system locked by Microsoft, who benevolently allows some users to achieve freedom by setting up new Platform Keys.

If the big dollar clients demand standardization and openness, then it might curtail the typical Microsoft antitrust shenanigans.

(2) A system that is owned by the purchaser, who may choose to deploy Microsoft or other security solutions, and then remove them, at will.

We already have (2), so any attempt to subvert it is by definition untrustworthy.

Item (1) is what is called "trustworthy computing," and Microsoft still openly celebrates it [1].

Item (2) is what is being obscured.

[1] https://www.microsoft.com/en-us/security/blog/2022/01/21/cel...

link
p_l 667 days ago
I think you are intentionally obscuring the difference between "no standard solution for cryptographic check of what you're booting" and "solution that provides that which one of the vendors pushed to make switchable in ways that keep it open for others as well, even if only because it makes business sense for them as well"

Trustworthy computing, even in Microsoft way, involves owner deciding what's running and being able to verify that. Funnily enough Microsoft's "solution" here involves removing Microsoft keys and owner signing specific binaries they allow to run.

We don't have yours (2) because of various gaps you could drive an American freight train through. The options that exists are all even more closed down than SecureBoot (which is just one leg of Trustworthy Computing).

N.B. the main subversive component in all of this, and tellingly implemented because stakeholders of "trustworthy computing" actually care about owner control, is protected media path, foisted by MPAA and streaming industry through closed blobs in Intel ME and AMD PSP

link