Neil BrownI am reading about Unified Attestation (https://uattest.net/).
I cannot escape the feeling that taking a user-hostile concept (Google Play Integrity), and making it Free / open source software, does not make it any less user hostile.
"Musty Bits" McGee@neil yea. TPM is interesting technically and all but when I see people progressing it in OSS I'm like (sucks teeth)
Laíns ⚡🌈🇵🇸@arichtman @neil it does provide real world value, though. however, it's not something that should ever be required, and I don't think that's the direction OSS is heading, so I don't really see a problem?
@arichtman @neil as someone who has been in a situation where hardware security was critical, and having systems in place to prevent tampering or data extraction from my devices was important, I do appreciate the ability to use something like a TPM to tie the boot process into the firmware configuration, and even hardware status (eg. laptop lid opened, different HW configuration detected)
@MissingClara @neil something like - this
tante (@[email protected])
Audre Lorde's "The master's tools will never dismantle the master's house." is not just a statement about a tool being tainted by its origin. It's about what kind of tool a "master" would create: Whips. Chains. Violent suppression. That's the meaning: You cannot just take tools whose purpose and politics is dominance and violence and "make them liberatory". This goes deeper than "just" embedded politics or lofty talks about ethics, it comes down to what kind of relations you believe do and should and must not structure the world.
Chaddicus@neil same, I think the GrapheneOS devs put it well when the said (in effect) that giving phone manufacturers the ability to decide what users can put on their devices is not better than letting Google do it.
@wombatpandaa @neil yeah, I see the value for attestation, as long as it's controlled by the user and not the phone manufacturers. like secure boot, TPM, etc.
David Chisnall (*Now with 50% more sarcasm!*)I disagree. These attestations provide absolutely nothing of value. The thing I want from an attestation is:
This app is running and is not tampered with in any way.
The thing that it's possible to provide with these is:
Assuming that the 50-100M lines of C/C++ code that run in higher privilege levels than this app are bug free and not malicious, this app has not been tampered with in any way.
Conflating the two is incredibly misleading. SGX attestation was marginally better, at least in theory, because you'd run a small trusted component in the enclave and the hardware (well, actually, the signing enclave) attested that this code was isolated from the rest of the system and was the code that you thought it was.
If, say, I'm a bank, and I want to get an attestation that my app isn't tampered with, these things run a privileged userspace process that queries a bunch of information and then provides a signed attestation. It is typically signed by whatever did the secure boot thing but secure boot is built on top of inductive security proofs. Assuming the first-stage loader is bug-free, it tells you the state of the second-stage loader at start. Assuming that the second-stage loader is bug-free, it will then tell you the state of the Linux kernel at boot time. The Linux kernel is roughly 30MLoC, almost all C. It averages one CVE every 2.5 days for the CIP releases. It executes for an unbounded number of steps. About the only thing that the secure-boot attestation tells you is that the kernel was compromised at some point after being booted. Once that's happened, no guarantees about any userspace code hold.
Cassandrich@david_chisnall @neil @MissingClara "If, say, I'm a bank, .."
..then you are not the owner or rightful authority over my device and you have no business knowing what modifications I did or didn't make to any of the software running on it.
@david_chisnall @neil @MissingClara In particular, attestation to the banking industry is the next consumer-hostile step in a long program to claw back the liability protection we've enjoyed for decades with Visa, where some level of fraud is a cost of doing business for the bank and the merchant, not a risk to the consumer. Previous stages in this program were campaigns like Verified By Visa and whatever other names they called it by, badgering to enter your PIN at PoS terminals, etc. All attempts to shift to a presumption that the account holder authorized a fraudulent transaction and weaken their right to deny it.
@MissingClara @wombatpandaa @neil I reject the claimed value even then. It is always, inherently, "cop in your pocket" technology and ACAB.
Ciara 💖
SlightlyCyberpunk@neil I'd argue that the very concept violates...probably all four of the Four Freedoms, therefore it cannot be Free Software.
Open Source has kinda always been about letting corporations walk all over people though so using that term seems fine...
AMS