Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If locking the bootloader and comparing signatures against keys burned into a secure enclave allow Apple to make certain security guarantees that helps them sell products, I'm all for their freedom to do so.

Why doesn't OP merely champion competition, instead of encouraging regulation of what software others can write, what hardware others can ship?

I too am afraid of general purpose computing going by the wayside, and I have the Precursor phone and Raptor Talos PowerPC machines on my wishlist, just as soon as I wrap my head around secure boot chains in general before having to implement one myself. But niche hardware is expensive to produce, so we're likely left with what AMD, Intel and Apple provides us.

I guess one quirk that IMO is fair to criticize is that it's not necessarily consumers who are demanding to be locked out of their administrator privileges (the average computer user is of course not aware of the distinction of signed vs unsigned binaries), so I don't know where the pressure for secure enclaves really comes from. Is it the data centers buying thousands of chips that don't want to be pwned? government customers who refuse to buy a single die if they can't verify the bootloader? Or just patriotic engineers sensitive to a cybersecurity regime that demands we keep our guard up against enemies, foreign and domestic?



> so I don't know where the pressure for secure enclaves really comes from.

The pressure comes from shareholders. User control means users can use their device in a way that benefits them, e.g. blocking invasive tracking. This benefit provides zero or negative shareholder value.


> Why doesn't OP merely champion competition, instead of encouraging regulation of what software others can write, what hardware others can ship?

This is false dichotomy. Why not both?

We need individual consumer rights, and we also need healthy market competition.


> so I don't know where the pressure for secure enclaves really comes from.

In my experience, security engineers who see them as finally solving the “root of trust” problem. Generally (ime) it’s security engineers/teams that have been pushing for things like ssl/tls, global certificate stores, signed updates of those stores, signed kernels validating those updates. But if you break the kernel (or compromise the bootloader or EFI/BIOS) then it’s all for naught. A secure enclave solves that problem (unless you find a bug in it/its implementation) - your bootloader is validated, which validates your kernel, which validates all the userland components you care about. Security teams rejoice.


Because the phone market is a duopoly that was impenetrable for even Microsoft. This "why don't you just make your own Apple?" argument is ridiculous, it will not happen no matter how much you "encourage" it as a consumer. You even contradict this yourself by saying "we're left with what <megacrops> provide us".




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: