A friend, @chloetankahhui has been speaking up against the proposal to enforce age verification at the OS level, and the QRTs to this shows the extent of naivety that a lot of people have.
-
A friend, @chloetankahhui has been speaking up against the proposal to enforce age verification at the OS level, and the QRTs to this shows the extent of naivety that a lot of people have.
No one who does hardware security believes that any system is bulletproof, but do you really think that circumventing these things will always be a simple firmware mod or hardware hack?
Let's dive in. /1
-
A friend, @chloetankahhui has been speaking up against the proposal to enforce age verification at the OS level, and the QRTs to this shows the extent of naivety that a lot of people have.
No one who does hardware security believes that any system is bulletproof, but do you really think that circumventing these things will always be a simple firmware mod or hardware hack?
Let's dive in. /1
Since the late 2000s, computer chipsets have shipped with security processors like Intel Management Engine and AMD Platform Security Processor.
Part of their job is to verify that the UEFI firmware is from the computer OEM and has not been tampered with or comes from a 3rd party. /2
-
Since the late 2000s, computer chipsets have shipped with security processors like Intel Management Engine and AMD Platform Security Processor.
Part of their job is to verify that the UEFI firmware is from the computer OEM and has not been tampered with or comes from a 3rd party. /2
How do these security processors verify the firmware integrity?
Through a set of cryptographic keys and their hashes, which are used to verify the cryptographic signature of the UEFI firmware. These keys or hashes are *burned* into the processor and cannot be changed. /3
-
How do these security processors verify the firmware integrity?
Through a set of cryptographic keys and their hashes, which are used to verify the cryptographic signature of the UEFI firmware. These keys or hashes are *burned* into the processor and cannot be changed. /3
For now, these functions are not strictly enforced or turned on in a lot of consumer devices.
But is there anything stopping nation states from forcing hardware manufacturers and OEMs to do so?
What options do you have in such a case? /4
-
For now, these functions are not strictly enforced or turned on in a lot of consumer devices.
But is there anything stopping nation states from forcing hardware manufacturers and OEMs to do so?
What options do you have in such a case? /4
There have been vulnerabilities in ME and PSP, and there MAY BE a way for users to bypass these checks.
But this assumes:
- Someone out there will put in labor to circumvent these things and release it freely, even at great expense.
- A simple, user doable hack even exists./5
-
There have been vulnerabilities in ME and PSP, and there MAY BE a way for users to bypass these checks.
But this assumes:
- Someone out there will put in labor to circumvent these things and release it freely, even at great expense.
- A simple, user doable hack even exists./5
Again, no one assumes that any system can be made 100% bulletproof. But that was never the point is it?
The end game is for manufacturers to harden their devices against cheaper tools and raise the barrier to entry such that it costs a fortune for hackers who might even try. /6
-
Again, no one assumes that any system can be made 100% bulletproof. But that was never the point is it?
The end game is for manufacturers to harden their devices against cheaper tools and raise the barrier to entry such that it costs a fortune for hackers who might even try. /6
This is why GiovanH's blog article is a must-read.
People assume that accessible hacks of invasive systems will always exist, and users hacking their devices is to be expected.
THIS SHOULDN'T BE A NORM. THIS IS AN ARMS RACE AND WE'RE OUTMATCHED. /7
https://blog.giovanh.com/blog/2025/10/14/a-hack-is-not-enough/
-
This is why GiovanH's blog article is a must-read.
People assume that accessible hacks of invasive systems will always exist, and users hacking their devices is to be expected.
THIS SHOULDN'T BE A NORM. THIS IS AN ARMS RACE AND WE'RE OUTMATCHED. /7
https://blog.giovanh.com/blog/2025/10/14/a-hack-is-not-enough/
People who think "oh we'll just buy Chinese motherboards and chips" or "just use open source hardware"
WHO FABRICATES THE BOARDS AND CHIPS FOR OSHW? DO YOU BELIEVE STATES LIKE CHINA AREN'T INTERESTED IN SIMILAR MEASURES OF CONTROL?
This is the tech equivalent of tankie-ism.
/8
-
People who think "oh we'll just buy Chinese motherboards and chips" or "just use open source hardware"
WHO FABRICATES THE BOARDS AND CHIPS FOR OSHW? DO YOU BELIEVE STATES LIKE CHINA AREN'T INTERESTED IN SIMILAR MEASURES OF CONTROL?
This is the tech equivalent of tankie-ism.
/8
Go on, circumvent these measures & keep our tech open and free.
But know that many hackers find basic hardware hacking tools too costly and out of reach. WE'RE OUTRESOURCED.
PUSH BACK BEFORE THESE POLICIES BECOME NORMALIZED. DON'T RELY ON HACKING ALONE TO SAVE US.
/END
-
Since the late 2000s, computer chipsets have shipped with security processors like Intel Management Engine and AMD Platform Security Processor.
Part of their job is to verify that the UEFI firmware is from the computer OEM and has not been tampered with or comes from a 3rd party. /2
@sleepyowl I’m eying up the ‘security updates’ for my bios with some suspicion.
-
Go on, circumvent these measures & keep our tech open and free.
But know that many hackers find basic hardware hacking tools too costly and out of reach. WE'RE OUTRESOURCED.
PUSH BACK BEFORE THESE POLICIES BECOME NORMALIZED. DON'T RELY ON HACKING ALONE TO SAVE US.
/END
@sleepyowl FWIW the current "contract" for what "a PC" even is (i.e. the requirements to get WHQL certified by MS) specifically defines that it must be possible to completely disable OS verification (UEFI Secure Boot) or use the user's own keys for it, out of the box without any extra requirements.
Firmware verification on every boot (Boot Guard et al) —which has already been widely enabled in Intel-based PC laptops of the last decade— did not change that, on its own.
Of course the policies are subject to change, but I think even Microsoft themselves would be really pissed about having to change any of this due to legal bullshit.
-
@sleepyowl FWIW the current "contract" for what "a PC" even is (i.e. the requirements to get WHQL certified by MS) specifically defines that it must be possible to completely disable OS verification (UEFI Secure Boot) or use the user's own keys for it, out of the box without any extra requirements.
Firmware verification on every boot (Boot Guard et al) —which has already been widely enabled in Intel-based PC laptops of the last decade— did not change that, on its own.
Of course the policies are subject to change, but I think even Microsoft themselves would be really pissed about having to change any of this due to legal bullshit.
@valpackett@social.treehouse.systems @sleepyowl@chaos.social Originally it was intended to be locked down to only boot Windows, as were the first Windows Arm machines.
The reason you can run Linux on your PC at all today without hacks is previous rounds of pushback
-
@valpackett@social.treehouse.systems @sleepyowl@chaos.social Originally it was intended to be locked down to only boot Windows, as were the first Windows Arm machines.
The reason you can run Linux on your PC at all today without hacks is previous rounds of pushback @bunny pushback was definitely a part of it; also failure in the market. The 32-bit Windows RT devices were trying really hard to be iPads, but absolutely no one wanted just the walls with no garden inside.
-
@bunny pushback was definitely a part of it; also failure in the market. The 32-bit Windows RT devices were trying really hard to be iPads, but absolutely no one wanted just the walls with no garden inside.
@valpackett@social.treehouse.systems At the time the secure boot was initially designed Windows was still going strong. They could get away with locking down all consumer PC hardware to run only Windows (or OS X for that other part), market-wise. Write off anyone not willing to run Windows as weird, suspicious, and potentially criminal. At least in the western PC market. Not sure how well it would go in China or India. Surprising amount of non-Apple consumer hardware was running Windows that was obtained with varying degrees of legitimacy back then
-
J jwcph@helvede.net shared this topic
