
Secure Boot in the Era of the T2 - archvile
https://duo.com/labs/research/secure-boot-in-the-era-of-the-t2
======
Shank
> Apple should be lauded for trying to bring their laptop and desktop lines
> into the same defensive posture as their mobile offerings.

I think this can't be stated enough. The fact of the matter is that pre T2,
evil maid attacks were ridiculously easy. Now they're at least as secure as
iOS -- which also means that shared vulnerabilities can be patched and
detected. By no means is it perfect security, but it's a heck of a lot better
than "stick boot disk in and gain keys to the kingdom."

For so long we've gone by the mantra that physical access means you have root.
Now we're a step ahead of that -- which is great for data privacy.

~~~
userbinator
_which is great for data privacy._

...and absolutely horrible for freedom. It used to be the case, and still
widely accepted for a lot of other products, that physical ownership actually
meant something beyond just being a consumer. Now companies are turning the
security against users, lest they also be attackers. From the point of view of
the DRM-advocating media corporations, the user _is_ an attacker. Locking down
the platform to allow only "trusted" (not by _you_ , but by _them_!) code only
benefits when their goals align with yours; you may agree with them on not
wanting things like ransomware, but not on things like them not allowing you
to share a file between two apps or even run code you wrote yourself.

It's scarier than any security attack to see what used to be an open and free
platform turned into a walled garden of corporate control and obedience.

(Insert famous Benjamin Franklin quote.)

~~~
geofft
> _It used to be the case, and still widely accepted for a lot of other
> products, that physical ownership actually meant something beyond just being
> a consumer._

It still does. The only thing is we've distinguished physical ownership and
mere physical possession.

It is a _feature_ that if I leave my personal laptop at my desk at work while
using the bathroom, my IT department can't rootkit it. It is an _improvement
to my freedom_ \- both my computing freedom and my physical freedom - if I can
leave a laptop in my hotel room while seeing tourist sights. It _protects me
from the government_ if a border control agent looking through my bag, or a
cop who's seized my laptop, can't get in. (The iPhone is an existence proof
that such defense against the government is possible, and it's weird that the
usually pro-personal-liberty free software crowd hasn't decided that a free
software implementation of the same thing is critically important.)

Of course software freedom requires access control. My freedom over my
possessions involves other people's lack of freedom over my possessions. I
can't make sure my computer is running the code I want it to if everyone else
can make my computer run the code they want it to. This control is essential
liberty; pretending that anyone with physical access is an owner because it's
easier than crypto and key management has been decades of temporary
convenience, and I'm glad it's coming to an end.

I can turn secure boot on and off with an admin password, which I set when I
first booted the machine because that's what demonstrates physical ownership
and not mere possession. (And systems that don't permit me to do so, like
Microsoft or Apple ARM devices, are in fact an affront to software freedom.)
But nobody else can.

~~~
michaelmrose
Even if you turn secure boot off you cannot grant for love or any amount of
money permission for software of your choosing to access the built in storage
which is pretty much required for normal people to be able to run software of
their choosing on the machine.

Few people will buy equivalent external ssd storage for 300-500 and carry it
around with them to have access to a second OS.

There is absolutely no reason to believe that they will ever act to increase
your ownership of your own device and every reason to believe that you will
ultimately have about the same privileges as someone using their employers
machine at work while being expected to fall full freight.

It's especially bemusing when you understand that evil maid is almost
nonexistent in reality while your actual loss of freedom has real effects now.

~~~
geofft
What software of your choice have you attempted to use, where did it fail, and
what's the stack trace?

Given that Windows works, it's hard to believe that any issues accessing
internal storage are a result of permissions. It just sounds like nobody's
implemented Linux support for the hardware. Why don't you?

If you're not able to either spend time writing a driver or hiring someone to
do so, you have no meaningful ability to exercise your software freedom. You
might be lucky if someone else implements support; you might not. But that's
always been true.

~~~
angelsl
Windows works on the new MacBook not because it has special drivers for NVMe-
via-T2 but because Apple trusts Microsoft's EFI key.

So no, stop it with all this "Linux works if you just disable Secure Boot"
nonsense. It doesn't. You can run Linux from a USB key, sure, but it can't
access the internal NVMe SSD!

~~~
comex
Judging by this post:

[https://unix.stackexchange.com/a/479544](https://unix.stackexchange.com/a/479544)

It looks like some kind of driver issue, not an intentional lockout.

To corroborate this, while I don’t have personal experience running Linux on
T2 devices, I do know it’s possible to build xnu from source and boot the
resulting unsigned kernel (in “No Security” mode) without the disk
disappearing.

------
josteink
> We believe the T2 platform is a leap forward in platform security in the
> Apple ecosystem, and it begins to bring exciting security properties like
> Secure Boot capabilities to the mass market.

So the vast PC-market with UEFI secure boot which predates this by 6 year was
somehow _not_ the “mass market”, but the relatively tiny MacBook market is?

With factual errors like this present already in the introduction, it’s hard
to take anything which follows it seriously.

This just comes off like fanboy-fluff.

~~~
X-Istence
You are missing the bigger picture in your attempt to immediately discard the
original articles premise because you feel like it comes off as fanboy-fluff.

No other device on the market currently provides a secondary processor that
runs full validation of the UEFI firmware before allowing the processor to
start booting.

It's not just secure boot, which has been around for a while, it's everything
around it.

On almost all other devices you could write new data to a flash chip and that
now becomes the UEFI boot loader that is used (and can bypass secure boot).
There is no verification of the UEFI boatloader that is possible because it's
sitting in NVRAM or Flash... and you can't trust it to self-verify because it
may have been tampered with.

~~~
josteink
> On almost all other devices you could write new data to a flash chip and
> that now becomes the UEFI boot loader that is used (and can bypass secure
> boot).

Let me see if I understand you completely.

What you're saying that if an attacker is willing to physically dismantle the
machine, he can then, using SPI-flasher HW, replace the UEFI firmware on the
machine with a custom UEFI firmware which does not enforce secure-boot...

And thus the machine's security is compromised?

If so, let me just state my _opinion_ : If that's the kind of attacker you are
trying to protect against, no matter of security measures is going to keep you
fully secure.

And if we're going down that lane: what prevents an attacker this
sophisticated from doing the same with the T2-chip's firmware?

What Apple offers with the T2 chip, for most people, has almost zero value,
while providing lots of drawbacks over traditional UEFI Secure Boot.

This is all about Apple extending their platform lock-in to no longer only
apply to mobile and tablet-space, but also to their traditional computer-line
of products.

There's nothing noble being done here. It's just a plain-in-sight money-grab.

~~~
X-Istence
> What you're saying that if an attacker is willing to physically dismantle
> the machine, he can then, using SPI-flasher HW, replace the UEFI firmware on
> the machine with a custom UEFI firmware which does not enforce secure-
> boot...

Yeah, that's kind of the classic evil maid attack, and it is not unheard of
for various spy agencies to dismantle devices to gain access or install bugs.

> If that's the kind of attacker you are trying to protect against

That is exactly what the T2 chip is designed to protect against, and more.

The T2 chip also runs all of the encryption/decryption for the integrated
storage, this way all data on the flash is encrypted at all times.

I can imagine that the T2 chip over time will be able to do much more to help
provide extra verification and security to the device and help keep users
safe.

> And if we're going down that lane: what prevents an attacker this
> sophisticated from doing the same with the T2-chip's firmware?

Because the firmware on the T2 chip is signed and the way the chip is designed
the only way to get firmware on it is to decap it because it is stored
internal to the chip itself.

With your stock standard x86 motherboard that is not the case because the
firmware is loaded from an unencrypted and unverified flash chip.

> What Apple offers with the T2 chip, for most people, has almost zero value

We'll have to agree to disagree, because the T2 chip also does full line-rate
encryption/decryption of the storage with no OS involvement at all. This means
if your laptop falls in the wrong hands, now people can't get at the data even
by reading directly from the flash chips.

\----

You are the one that claimed that the article was fanboy-fluff, I just
described a feature that no other machine has... and you immediately consider
it a money-grab rather than something to laud Apple for. Yet SecureBoot is
good enough? Why not keep improving upon the status quo? Why not make it
easier for people to keep their data private and secure?

It's all about defense in depth, and Apple added one more depth to their
platform.

~~~
josteink
> Because the firmware on the T2 chip is signed

So is pretty much all UEFI firmware too though. It may not be encrypted, but
it is certainly verified. Feel free to ask the Coreboot people about details
here.

> We'll have to agree to disagree, because the T2 chip also does full line-
> rate encryption/decryption of the storage with no OS involvement at all.

But for people who has been using BitLocker or LUKS transparently (because
it's built into the OS) for half a decade+, there are absolutely zero new
things offered, and no visible improvements offered.

The only effective change is restrictions in end-user freedom.

> Yet SecureBoot is good enough? Why not keep improving upon the status quo?
> Why not make it easier for people to keep their data private and secure?

If a security feature which can easily be implemented (securely) in the OS is
moved to firmware, I could be willing to consider that a good thing, but not
it comes at the cost of end-user freedom.

And here it certainly does.

------
cmurf
The article reinforces my disappointment in Apple. First they use an Apple
variant of Intel EFI 1.10 forever, even well passed the time UEFI incorporated
Secure Boot. Instead of writing up a critique and proposal to fix any
problems/limitations with UEFI Secure Boot, Apple has to go do a damned
proprietary thing. Again.

Also, the latest Macs do not contain the Microsoft UEFI signing key, only the
Microsoft Windows and Applel signing keys. So the only way to boot Linux is to
disable Secure Boot, leaving people less secure.

------
sudo-i
Does this have any bearing on running linux on macbooks?

~~~
josteink
> Does this have any bearing on running linux on macbooks

Unlike on PCs, on T2 Macs Linux will only be bootable with Secure boot
disabled making the system much less secure.

To make matters worse, the T2 chip administers access to the built in SSD, so
it will be completely inaccessible for Linux to use for anything.

When Apple stops supporting this machine, you won’t be able to keep it
chugging by loading another OS.

I could say Apple is trying to _terminate_ the only remaining computing
platform which respects end-user freedom and ownership, but I’m not sure if it
would be a joke or not...

~~~
saagarjha
> the T2 chip administers access to the built in SSD, so it will be completely
> inaccessible for Linux to use for anything.

This isn’t true. You can install Linux on this, providing you disable Secure
Boot. You can’t currently access the SSD, but that’s more the result of a
driver not existing than it being inherently disallowed.

~~~
Dunedan
> You can’t currently access the SSD, but that’s more the result of a driver
> not existing than it being inherently disallowed.

That's not clear yet. There is a NVMe driver available in Linux which works
fine with pre-T2 Macs. On T2 Macs however the whole platform resets a few
seconds after initializing the NVMe controller. The question is: Is that a bug
in the driver or NVMe implementation of the T2 chip or something Apple does
intentionally?

~~~
X-Istence
Let's not attribute to malice what can easily be attributed to incompetence.

~~~
floatboth
In a chip that has "secure" in its name, it's quite likely that a sudden
system shutdown is intentional..

------
akvadrako
The T2 does so much, essentially running an OS comparable to iOS. The author
even suggests it might allow apps.

It doesn't seem like it's a gain in security. Instead of attacking the "main
system", you can just attack the T2; it's similar in complexity, meaning it
will have similar vulnerabilities.

~~~
IMcD23
Try pulling data off my iPhone with physical access. Now, try pulling data off
a pre-T2 Mac. The T2 brings many security improvements to the Mac.

~~~
akvadrako
It's not because of the T2 though - it's because of the Secure Enclave holding
the keys for disk encryption and firmware/kernel signatures.

They might have bundled them together, but the layer around the secure part is
just another system - it doesn't make anything more secure. All it's functions
could have been taken up by the main system.

The only possible security win is by making BridgeOS simpler and less likely
to have vulnerabilities.

~~~
lloeki
I'd still say it's a net gain overall†, although the Great Bundling is
questionable and definitely concerning in terms of attack surface, yet the
synergies when finding and _fixing_ vulnerabilities should not be taken
lightly.

† It's overall a good thing evil maid/law enforcement/whatever doesn't get to
have trivial access to the user's device anymore.

