T2 chip was all about us. TPM successor we control.
All about our safety. Stopping hackers.
And now today we see it's true purpose. Again hiding keys from you, serving their interests.
Glad to be a customer of NEITHER
The primary purpose of the chip is secure boot. A guy like me can't sneak a kernel extension onto your machine and do really nasty stuff. You have assurance that your OS is as it's supposed to be. (Unless you press command-r to disable secure boot).
It also secures things like touch ID, making it harder for me to do sneaky things and access your files and accounts.
It can provide some assurance that I'm not taking data off your machine. And it can provide some assurance that you're not taking data off your machine. The same hardware that makes it difficult for me to take your data away also makes it difficult for you to take Netflix 4K data.
The chip provides assurance. It's just transistors, it doesn't make moral judgements. It just makes sure that things are as specified.
That's really helpful if you have secrets and there are people like me poking at your machine. It's not so helpful if you want to rip Netflix 4K.
> Get down that horse and tell me how can i sign the OS boot with a Key I trust.
I would just give you the command here, but to be secure, everything in the TCB needs to be signed. It tries to handle *all* the different ways a hacker could end up in a kernel. Signing a bootloader is a little different from signing a kernel image is a little different than signing a kernel module. Installing your key the first time is a different command than using it later for a new kernel. Here is the process for each:
This is on Netflix, not Apple. Don't have an HDCP 2.2 capable monitor? Won't work! Don't use Microsoft Edge on Windows? No UHD for you!
Running GNU/Linux? Stallman don't do DRM, so neither can you! No 4K for you!
Now on to Apple, their Secure Boot implementation backed by the T2 chip won't let me downgrade/rollback the bootloader or kernel to bypass security. Compare that to GNU/Linux, where a compromised system can be transparently made to boot an older, more vulnerable kernel and on Windows, where an at
It's an interesting idea and this approach has some me advantages in some applications.
On the other hand, using Silverblue as an example,/var,/root,/home,/opt,/use/local, and/srv are all fully writeable. Which includes/root/.bashrc and root's PATH, btw - think about what that means. "grep" might well be/var/tmp/grep, a nice little binary put there by who knows. Which is to say, don't get OVER excited about the idea.
Security fundamentally requires that you be able to update important things to addr
Well yes. If you want to write your own kernel modules and you don't want to turn secure boot off by pressing command-R, buy any PC brand other than Mac.
And if someone spends $300 million making a movie and doesn't want you posting rips all over the web, they'll not send it to you.
DRM not "decoding". (Score:1)
It's both, really (Score:3)
The primary purpose of the chip is secure boot. A guy like me can't sneak a kernel extension onto your machine and do really nasty stuff. You have assurance that your OS is as it's supposed to be. (Unless you press command-r to disable secure boot).
It also secures things like touch ID, making it harder for me to do sneaky things and access your files and accounts.
It can provide some assurance that I'm not taking data off your machine.
And it can provide some assurance that you're not taking data off your machine.
The same hardware that makes it difficult for me to take your data away also makes it difficult for you to take Netflix 4K data.
The chip provides assurance. It's just transistors, it doesn't make moral judgements. It just makes sure that things are as specified.
That's really helpful if you have secrets and there are people like me poking at your machine. It's not so helpful if you want to rip Netflix 4K.
Re:It's both, really (Score:5, Insightful)
Re: (Score:2)
Get down that horse and tell me how can i sign the OS boot with a Key I trust.
If you don't own the keys, that just mean you attacker had to pay someone before taking over your machine.
Here's an article that shows you how (Score:2)
> Get down that horse and tell me how can i sign the OS boot with a Key I trust.
I would just give you the command here, but to be secure, everything in the TCB needs to be signed. It tries to handle *all* the different ways a hacker could end up in a kernel. Signing a bootloader is a little different from signing a kernel image is a little different than signing a kernel module. Installing your key the first time is a different command than using it later for a new kernel. Here is the process for each:
Re: Here's an article that shows you how (Score:2)
Mod parent up. Thatâ(TM)s stuff I never heard before, and quite useful. Thanks.
Re: (Score:2)
Running GNU/Linux? Stallman don't do DRM, so neither can you! No 4K for you!
Now on to Apple, their Secure Boot implementation backed by the T2 chip won't let me downgrade/rollback the bootloader or kernel to bypass security. Compare that to GNU/Linux, where a compromised system can be transparently made to boot an older, more vulnerable kernel and on Windows, where an at
Re: (Score:2)
It's an interesting idea and this approach has some me advantages in some applications.
On the other hand, using Silverblue as an example, /var, /root, /home, /opt, /use/local, and /srv are all fully writeable. Which includes /root/.bashrc and root's PATH, btw - think about what that means. "grep" might well be /var/tmp/grep, a nice little binary put there by who knows. Which is to say, don't get OVER excited about the idea.
Security fundamentally requires that you be able to update important things to addr
Re: (Score:1)
Great, but the PC owner should have keys to install kernel module he wants (and rip the damn video), not only Apple.
Re: (Score:2)
Well yes.
If you want to write your own kernel modules and you don't want to turn secure boot off by pressing command-R, buy any PC brand other than Mac.
And if someone spends $300 million making a movie and doesn't want you posting rips all over the web, they'll not send it to you.