this post was submitted on 28 Jul 2023
61 points (100.0% liked)
Technology
37724 readers
789 users here now
A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.
Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.
Subcommunities on Beehaw:
This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I think that the party is kind of distributed. If I'm not mistaken, the manufacturer of your device decides what they consider "trusted", and they can certify the integrity of your hardware. On top of that, the operating system you use will take this as a base, and adds its own verification to it, to certify that the inetgrity of the OS has not been broken. And on top of that comes the web browser or some other software that verifies if it has been modified, and can certify if it feels ok. And then, when you use a service that wants to check if you run an "approved" environment, they will see the whole chain of verification, and they can decide if they dont trust someone in the chain. Like, if they dont trust that Firefox (assuming it implements WEI, which would be hugely disappointing) certifies its integrity honestly, or that they dont trust that your Linux kernel is honest, or if they dont trust that your System76 (or whatever) motherboard (and other hardware devices) dont lie or do cerification incorrectly, then they just simply deny you access.
And the process if making your device "trusted" probably consists of a) using "approved" software and hardware b) getting the providers of your services to accept the software and hardware you use as trustworthy
The TPM is the secure element that makes authentic (believable) attestation (verification that it is what is says) possible. One of its important properties is that software you run can add their private keys to it, after which point they cannot be retrieved anymore, but still can be used, e.g. for cryptocgraphically signing data. The TPM may also store some keys permanently that were added in the factory, which it can use to sign data that verifies that it is this and that hardware device, and "feels ok", as in it hasnt detected that it would have been tampered with.