• @9tr6gyp3
    link
    15 months ago

    Thats correct. Thats one of the many perks.

      • @9tr6gyp3
        link
        15 months ago

        If the hardware signatures don’t match, it wont boot without giving a warning. If the TPM/Secure Enclave is replaced/removed/modified, it will not boot without giving a warning.

        • @[email protected]
          link
          fedilink
          1
          edit-2
          5 months ago

          If the hardware signatures don’t match

          Compromised hardware will say it is same hardware

          If the TPM/Secure Enclave is replaced/removed/modified, it will not boot without giving a warning.

          Compromised hardware controls execution of software. Warning is done in software. Conpromised hardware won’t let it happen.

          • @9tr6gyp3
            link
            15 months ago

            Compromised hardware doesn’t know the signatures. Math.

            • @[email protected]
              link
              fedilink
              15 months ago

              Compromised hardware can’t create new signatures, but it doesn’t matter because it controls execution of software and can skip any checks.

              • @9tr6gyp3
                link
                15 months ago

                If the hardware is tampered, it will not pass the attestation test, which is an online component. It will fail immediately and you will be alerted. Thats the part of verified boot that makes this so much harder for adversaries. They would have to compromise both systems. The attestation system is going to be heavily guarded.

                • @[email protected]
                  link
                  fedilink
                  1
                  edit-2
                  5 months ago

                  which is an online component.

                  So, storing on Signal’s server key to decrypt keys. Welcome back to apple-isms and online-only.

                  It will fail immediately and you will be alerted.

                  Provided you have some other non-compromised way of communications.

                  • @9tr6gyp3
                    link
                    15 months ago

                    Yes, verified boot will have out-of-bands alerts for you by design. Without the online component, you will risk not being able to detect tampering.