I think this can't be stated enough. The fact of the matter is that pre T2, evil maid attacks were ridiculously easy. Now they're at least as secure as iOS -- which also means that shared vulnerabilities can be patched and detected. By no means is it perfect security, but it's a heck of a lot better than "stick boot disk in and gain keys to the kingdom."
For so long we've gone by the mantra that physical access means you have root. Now we're a step ahead of that -- which is great for data privacy.
...and absolutely horrible for freedom. It used to be the case, and still widely accepted for a lot of other products, that physical ownership actually meant something beyond just being a consumer. Now companies are turning the security against users, lest they also be attackers. From the point of view of the DRM-advocating media corporations, the user is an attacker. Locking down the platform to allow only "trusted" (not by you, but by them!) code only benefits when their goals align with yours; you may agree with them on not wanting things like ransomware, but not on things like them not allowing you to share a file between two apps or even run code you wrote yourself.
It's scarier than any security attack to see what used to be an open and free platform turned into a walled garden of corporate control and obedience.
(Insert famous Benjamin Franklin quote.)
It still does. The only thing is we've distinguished physical ownership and mere physical possession.
It is a feature that if I leave my personal laptop at my desk at work while using the bathroom, my IT department can't rootkit it. It is an improvement to my freedom - both my computing freedom and my physical freedom - if I can leave a laptop in my hotel room while seeing tourist sights. It protects me from the government if a border control agent looking through my bag, or a cop who's seized my laptop, can't get in. (The iPhone is an existence proof that such defense against the government is possible, and it's weird that the usually pro-personal-liberty free software crowd hasn't decided that a free software implementation of the same thing is critically important.)
Of course software freedom requires access control. My freedom over my possessions involves other people's lack of freedom over my possessions. I can't make sure my computer is running the code I want it to if everyone else can make my computer run the code they want it to. This control is essential liberty; pretending that anyone with physical access is an owner because it's easier than crypto and key management has been decades of temporary convenience, and I'm glad it's coming to an end.
I can turn secure boot on and off with an admin password, which I set when I first booted the machine because that's what demonstrates physical ownership and not mere possession. (And systems that don't permit me to do so, like Microsoft or Apple ARM devices, are in fact an affront to software freedom.) But nobody else can.
This has always been the case, has it not? Modern security practices seem to operate under the assumption that the attacker can do almost anything the user can except sniff the password out of the user's head.
I think that's a reasonable model to work under. Building a platform that makes it a near-guarantee that the only way to unlock a computer is to be in the user's brain is a commendable security model, and the fact that Apple is executing it so seamlessly (i.e. with minimal user interaction) is honestly incredible. Gone are the days when you need to jump through hoops for security. It's democratized and available to everyone.
I would say that this is amazing for freedom. You could ask for little more than for every citizen to have state-of-the-art security.
---
Of course, vote with your wallet. If you don't like DRM content, don't get it. If you like the T2 chip and need a new laptop, get a Mac. No one is depriving you of choice, here.
They provide a setting that lets you disable the boot security at will, allowing you to install Linux or any other alternative OS. Security features on macOS (as opposed to iOS) are generally optional, but enabled by default (as is the sensible choice).
They don’t provide you the ability to reprogram the T2 itself, which is a shame but not entirely without merit - compromising the T2 chip would be far more dangerous than compromising the OS in terms of persistence.
Most users threat posture is around security from adversaries who may gain control of their hardware. That security helps preserve their freedom, to store secrets more safely on the device etc.
Users are generally much less concerned with their own ability to hack / boot an alternative OS etc.
I suspect very few companies other than Apple will even have a chance of standing up to big gov demands, and even Apple may cave (though they seemed willing to stick to principal even in case of known domestic terrorist shooter which is one of the toughest arguments to make).
If you need the freedom to be hacked and to hack your own hardware, consider an android or linux machine.
Factually and objectively wrong.
This does nothing for end-user security which wasn’t already solved by UEFI Secure boot half a decade ago.
The only difference here is that Apple now insist on owning all the keys, taking away any aspect of end-user freedom which may have been present in the UEFI spec.
This is all bad, all regression for the PC-platform and Apple should definitely not be applauded.
UEFI Secure Boot is a noop security-wise if you don't have a TPM to store keys and validate signatures, otherwise it's trivial to bypass. This whole thing implements UEFI Secure Boot, and T2 is the TPM.
Secure Boot can be disabled to install Linux, the only difference from before T2 was introduced on Macs being that Linux fails to initialise/access† internal storage behind T2. Using either a pre-signed loader with MOKs in NVRAM or your own signing keys is terribly involved[0][1] and adding keys or disabling SB is not always supported, even on PCs.
† For reasons yet unknown which could be any of a) bug in T2, b) lack of hardware support within Linux, c) intentional security measure, d) intentionally crippled feature. Judgement as to whether this is a glitch, undocumented hardware behaviour, or a mischievous scheme is currently impossible and an open question; stating anything one way or the other is currently based purely on personal beliefs, not facts.
[0] https://wiki.archlinux.org/index.php/Secure_Boot
[1] http://www.rodsbooks.com/efi-bootloaders/secureboot.html#fin...
This hasn't been the case for a long time. Chromebooks shipped with "verified boot" since the first consumer hardware in 2011. Windows machines have been shipping with UEFI secure boot, which Apple uses the T2 chip to implement, for the past 6 years.
So the vast PC-market with UEFI secure boot which predates this by 6 year was somehow not the “mass market”, but the relatively tiny MacBook market is?
With factual errors like this present already in the introduction, it’s hard to take anything which follows it seriously.
This just comes off like fanboy-fluff.
No other device on the market currently provides a secondary processor that runs full validation of the UEFI firmware before allowing the processor to start booting.
It's not just secure boot, which has been around for a while, it's everything around it.
On almost all other devices you could write new data to a flash chip and that now becomes the UEFI boot loader that is used (and can bypass secure boot). There is no verification of the UEFI boatloader that is possible because it's sitting in NVRAM or Flash... and you can't trust it to self-verify because it may have been tampered with.
Let me see if I understand you completely.
What you're saying that if an attacker is willing to physically dismantle the machine, he can then, using SPI-flasher HW, replace the UEFI firmware on the machine with a custom UEFI firmware which does not enforce secure-boot...
And thus the machine's security is compromised?
If so, let me just state my opinion: If that's the kind of attacker you are trying to protect against, no matter of security measures is going to keep you fully secure.
And if we're going down that lane: what prevents an attacker this sophisticated from doing the same with the T2-chip's firmware?
What Apple offers with the T2 chip, for most people, has almost zero value, while providing lots of drawbacks over traditional UEFI Secure Boot.
This is all about Apple extending their platform lock-in to no longer only apply to mobile and tablet-space, but also to their traditional computer-line of products.
There's nothing noble being done here. It's just a plain-in-sight money-grab.
HP laptops have a secondary processor (SureStart) for firmware integrity, http://h10032.www1.hp.com/ctg/Manual/c05163901
Everything is relative.
When enabled, what Secure Boot ensures is that only boot media signed by a trusted a key (which unless user-replaced, typically are the vendor-provided key which trusts MS Windows and common Linux-distros) can be booted.
This guarantees that the base OS and kernel booted by the machine can be trusted to not be tampered with by untrusted parties. That is, the most important part of the OS is protected against malicious modifications and attacks by the firmware.
However if this is the only security-measure you have, there is nothing preventing a physical attacker from extracting the drive into another machine, and on this machine modify non-boot related OS-files to introduce a backdoor or trojan, and then put the drive back into the original machine.
You will then boot a trusted kernel, which later on may load malicious code. Secure boot alone does not protect against a scenario like this.
But if you use Secure Boot together with and BitLocker, LUKS or other full-disk encryption solutions, you should be reasonably secure, even against physical attackers.
Basically Secure Boot is not a full security solution, but it is the base which you need for a fully trusted, tamper-proof computing environment. Without it, you wouldn't know if someone is logging your password or not when unlocking the encrypted drives.
Also, the latest Macs do not contain the Microsoft UEFI signing key, only the Microsoft Windows and Applel signing keys. So the only way to boot Linux is to disable Secure Boot, leaving people less secure.
Unlike on PCs, on T2 Macs Linux will only be bootable with Secure boot disabled making the system much less secure.
To make matters worse, the T2 chip administers access to the built in SSD, so it will be completely inaccessible for Linux to use for anything.
When Apple stops supporting this machine, you won’t be able to keep it chugging by loading another OS.
I could say Apple is trying to terminate the only remaining computing platform which respects end-user freedom and ownership, but I’m not sure if it would be a joke or not...
This isn’t true. You can install Linux on this, providing you disable Secure Boot. You can’t currently access the SSD, but that’s more the result of a driver not existing than it being inherently disallowed.
So it doesn't stop you in a way a game console might, but you lose some features of the hardware by doing so.
https://unix.stackexchange.com/questions/463422/how-can-you-...
It doesn't seem like it's a gain in security. Instead of attacking the "main system", you can just attack the T2; it's similar in complexity, meaning it will have similar vulnerabilities.
They might have bundled them together, but the layer around the secure part is just another system - it doesn't make anything more secure. All it's functions could have been taken up by the main system.
The only possible security win is by making BridgeOS simpler and less likely to have vulnerabilities.
