Linked by Thom Holwerda on Tue 12th Dec 2017 22:45 UTC
Apple

Apple has made the iMac Pro available to order, but since we already know all the details about its specifications, there's one particular aspect I'd like to focus on: the iMac Pro contains new Apple-developed silicon. It's called the T2, and as described by Cabel Sasser:

The iMac Pro features new apple custom silicon: the T2 chip. It integrates previously discrete components, like the SMC, ISP for the camera, audio control, SSD control... plus a secure enclave, and a hardware encryption engine. This new chip means storage encryption keys pass from the secure enclave to the hardware encryption engine in-chip - your key never leaves the chip. And, they it allows for hardware verification of OS, kernel, boot loader, firmware, etc. (This can be disabled...)

The screenshot he posted shows what the hardware verification dialog for things like the operating system and bootloader looks like. As long as we can turn security measures like this off - as we can on, e.g., Chromebooks - this is a good development. Now all we have to do is hope these companies don't abuse this kind of technology.

We can hope.

Order by: Score:
The end of hackintosh?
by CaptainN- on Tue 12th Dec 2017 22:57 UTC
CaptainN-
Member since:
2005-07-07

This seems like it's designed to end hackintosh.

Maybe that's okay - High Sierra runs like crap anyway. It may be time to switch back to Windows (or Ubuntu)...

Edited 2017-12-12 22:58 UTC

Reply Score: 6

RE: The end of hackintosh?
by Anonymous Penguin on Wed 13th Dec 2017 13:20 UTC in reply to "The end of hackintosh?"
Anonymous Penguin Member since:
2005-07-06

Yosemite was the last decent version of MacOs. After that it got worse all the time. That on top of ridiculously expensive hardware. Farewell Macs, it was good while it lasted. Windows 10 is the best Microsoft OS so far, IMHO.

Reply Score: 3

RE[2]: The end of hackintosh?
by Parry on Wed 13th Dec 2017 23:21 UTC in reply to "RE: The end of hackintosh?"
Parry Member since:
2014-06-03

Surely you mean Snow Leopard

Reply Score: 1

RE[3]: The end of hackintosh?
by haakin on Thu 14th Dec 2017 12:17 UTC in reply to "RE[2]: The end of hackintosh?"
haakin Member since:
2008-12-18

And Tiger is the best looking Mac OS X.

Reply Score: 1

RE[2]: The end of hackintosh?
by Kancept on Thu 14th Dec 2017 16:01 UTC in reply to "RE: The end of hackintosh?"
Kancept Member since:
2006-01-09

You mean Snow Leopard.

Reply Score: 2

RE: The end of hackintosh?
by darknexus on Wed 13th Dec 2017 13:43 UTC in reply to "The end of hackintosh?"
darknexus Member since:
2008-07-15

I don't follow. Why would you make a hackintosh on one of these, seeing as it's a genuine Macintosh machine? Apple can't require the presence of the T2 chip in MacOS since this will currently be the only machine with it and there will be many older Macs in use for years to come. Hackintosh seems safe enough, if you want to bother with it.

Reply Score: 1

RE[2]: The end of hackintosh?
by CaptainN- on Wed 13th Dec 2017 14:07 UTC in reply to "RE: The end of hackintosh?"
CaptainN- Member since:
2005-07-07

I didn't explain well - the hardware described here can be used to secure a key and then the OS written to require description of through that key/hardware. It seems designed to lock macOS to Apple hardware, which would make hackintosh impractical.

Edited 2017-12-13 14:07 UTC

Reply Score: 2

RE[3]: The end of hackintosh?
by darknexus on Wed 13th Dec 2017 15:07 UTC in reply to "RE[2]: The end of hackintosh?"
darknexus Member since:
2008-07-15

I doubt it. As I said, this is the only Mac with this chip. While it is conceivable that in perhaps ten years they could enforce this requirement, at the moment they cannot because it would lock MacOS out of all other Apple machines as well. By the time they could use this as a anti-Hackintosh mechanism, the landscape is likely to look quite different in terms of the options available. Heck, if Apple doesn't pull their act together on MacOS soon (or kills it off deliberately) there may not even be a need for a Hackintosh by the time they could use this as a lock.

Reply Score: 2

RE[4]: The end of hackintosh?
by leech on Wed 13th Dec 2017 16:15 UTC in reply to "RE[3]: The end of hackintosh?"
leech Member since:
2006-01-10

I think the point is that all they'd need to do is put the chip into the newer macs for the next few years, then they can say 'anything older than 2017 will not get the upgrade to macOS blah.x'

So yeah, death of Hackintoshes in... I'd guess probably 2020? By then they can just claim that 3 year old macs won't work with the latest version of the OS. It's not like they haven't done this many times before.

Reply Score: 1

RE: The end of hackintosh?
by unclefester on Fri 15th Dec 2017 01:25 UTC in reply to "The end of hackintosh?"
unclefester Member since:
2007-01-13

This seems like it's designed to end hackintosh.

Maybe that's okay - High Sierra runs like crap anyway. It may be time to switch back to Windows (or Ubuntu)...


It's probably to prevent installing Linux on unsupported "old" (eg perfectly good 5 year old machines) to extend their life.

I'm typing this on a 2007 Macbook running Xubuntu. There is essentially no modern MacOS software that will run on Snow Leopard

Reply Score: 2

Faulty Design
by Alfman on Wed 13th Dec 2017 00:52 UTC
Alfman
Member since:
2011-01-28

Secure Boot

Full Security - Ensures the latest and only most secure software can run. This mode requires a network connection at software installation time.

Medium Security - Requires verifiable software to run, but not the latest software.

No Security - Does not enforce any requirements on the bootable OS.


There is a missing option here, owners should be able to specify their own keys such that they can run 3rd party software securely without selecting "no security" and giving up bootloader protection entirely. As it stands, the security feature appears to be designed to unnecessarily treat all 3rd party platforms as second class citizens.

Reply Score: 4

RE: Faulty Design
by Kochise on Wed 13th Dec 2017 12:50 UTC in reply to "Faulty Design"
Kochise Member since:
2006-03-03

There is a missing option here, owners should be able to own the hardware they bought.

Reply Score: 1

RE[2]: Faulty Design
by Alfman on Wed 13th Dec 2017 14:21 UTC in reply to "RE: Faulty Design"
Alfman Member since:
2011-01-28

Kochise,

There is a missing option here, owners should be able to own the hardware they bought.


Of course. The point I always try to make regarding security features is that they can be good but they need to be designed to empower the owners and often times they fall short as seems to be the case here.

Unfortunately the trend is towards security measures that protect the vendors' interests against owner modification. Despite the shortcomings of apple's implementation, at least for now the owner appears to be able to disable it. However it may not be the case in the future.


Hypothetically if apple and microsoft locked owners out of secure boot, that'd be close to 100% of new consumer computers that would no longer be able to boot alternatives. We're obviously not there today, but all the building blocks are in place, and with a government that believes powerful corporations can do no evil, I have a lot of concern that corporations could actually get away with locking down all computers.

Reply Score: 3

RE[3]: Faulty Design
by zima on Fri 15th Dec 2017 21:35 UTC in reply to "RE[2]: Faulty Design"
zima Member since:
2005-07-06

When Trusted Platform Module came out, it was "proof" that Microsoft would block Linux from running on new PCs ...nothing came out of these predictions, and in fact TPM is used to probably biggest lenghts by Linux PCs - Chromebooks.

BTW, can you install Windows on a Chromebook? ;)

Also, in many places that would NOT be "close to 100% of new consumer computers that would no longer be able to boot alternatives" - I go to ceneo.pl (probably largest local shops/offers comparisons site), choose "Laptops" and see that there are now over 1200 offers (out of ~6000 total) with "no OS" which have to be unlocked... (vast majority of them end up with pirated Windows, but that's another issue... few years ago the manufacturers kept appearances of distancing themselvelves from encouraging piracy - those laptops shipped with "Linux" ...often only a Knoppix DVD thrown into the box)

Reply Score: 3

RE[4]: Faulty Design
by Alfman on Sat 16th Dec 2017 01:43 UTC in reply to "RE[3]: Faulty Design"
Alfman Member since:
2011-01-28

zima,

When Trusted Platform Module came out, it was "proof" that Microsoft would block Linux from running on new PCs ...nothing came out of these predictions, and in fact TPM is used to probably biggest lenghts by Linux PCs - Chromebooks.


My understanding of TPM is that it was never actually capable of blocking alternative operating systems, rather it provided secure attestation and secure keystore primitives. To me having these primitives isn't that controversial, so long as the features are available to all platforms and we're not forced to use them. It's quite a bit different from something like secure boot.

A bit O/T, but an interesting side note is that TPM secure attestation only works remotely. Consider what happens if a hacker loads up a hacked bootloader. This bootloader will not pass TPM's attestation checks, however since the hacker has control over the OS being loaded, he is nevertheless able to alter it into thinking that it has passed, this hack can be repeated for each chain of the link. This is why TPM attestation cannot be used (or is not very effective) for local security.


Attestation is used to prove the state of a remote system. The hacker cannot fake a signature from the TPM unit (ignoring the possibility of bugs). In practice, even though you can prove every bit of software running on it if you need to, there are so many variables across normal user installations that the problem becomes finding a way to prove those configurations are secure.

Consider what would happen if a bank created a TPM aware service and applied a blacklist for any software/drivers that it didn't know about. Well, tons of customers would end up being denied service because they're using different hardware/software (ie, we don't recognize your scanner driver). The bank has two logical choices: allow the configuration or deny it, but there's no realistic scenario where they'd have the resources to actually check whether these configurations are technically secure and if you start introducing unknowns into the TMP security approved database, then it increases not only the denial of service against legitimate machines but also the chances of compromised software&drivers making it onto the approved list.

So unless one runs a large number of highly standardized installations, TPM attestation is sort of impractical. A scenario I think TPM is good for would be checking the state of company provided laptops prior to granting them remote access to the enterprise network. Although on systems that I own rather than the employer, I'd prefer not to have to validate my system to them.

Edited 2017-12-16 01:50 UTC

Reply Score: 2

RE[5]: Faulty Design
by zima on Sat 16th Dec 2017 23:38 UTC in reply to "RE[4]: Faulty Design"
zima Member since:
2005-07-06

My understanding of TPM is that it was never actually capable of blocking alternative operating systems, rather it provided secure attestation and secure keystore primitives

Perhaps, but the hysteria about the possibility of blocking alternative OS was real... ;)

Reply Score: 2

RE[6]: Faulty Design
by Alfman on Sun 17th Dec 2017 00:16 UTC in reply to "RE[5]: Faulty Design"
Alfman Member since:
2011-01-28

zima,

Perhaps, but the hysteria about the possibility of blocking alternative OS was real... ;)


I don't remember too much hysteria around TPM specifically, but maybe I ignored it, haha. Secure boot was a different matter though. I do remember the outcry surrounding the CPUID serial number feature that uniquely identified CPUs starting (and ending) with intel's pentium 3.

Edited 2017-12-17 00:32 UTC

Reply Score: 2

RE[7]: Faulty Design
by zima on Sun 17th Dec 2017 21:29 UTC in reply to "RE[6]: Faulty Design"
zima Member since:
2005-07-06

Hm, or maybe I just hung out on Slashdot too much back when TPM was introduced... ;)

Reply Score: 2

First ARM-based workstation
by areilly on Wed 13th Dec 2017 04:06 UTC
areilly
Member since:
2015-04-07

with a Xeon application accelerator bolted on the side.

Well, perhaps not this time around, but it could easily go that way. Long ago I used a Sony NEWS 3860 (http://katsu.watanabe.name/doc/sonynews/model.html) the "MIPS" CPU versions were a MIPS-R3000 processor card that was effectively added to their previous 68030 motherboard, which was still used to run all of the device drivers and most of the OS. Worked _really_ well!

Reply Score: 3

Not available yet.
by stargazer on Wed 13th Dec 2017 13:18 UTC
stargazer
Member since:
2011-08-26

Till tomorrow

Reply Score: 1

Not bad
by darknexus on Thu 14th Dec 2017 16:47 UTC
darknexus
Member since:
2008-07-15

$5,000 USD isn't actually bad, considering what you get, plus a monitor. I'd be hard-pressed to find anything much less on the price scale if we're talking about workstation-grade hardware when you figure in the package. I was expecting Apple to charge an off-the-wall price, but am pleasantly surprised. Of course, the real question is, how long will they last and just how hard will they be to repair? That will probably be the area where these fall short, since if one spends five grand on a workstation one would expect to keep that workstation for at least five years.

Reply Score: 1