microtonal 5 days ago

There are genuine positive applications for remote attestation. E.g., if you maintain a set of servers, you can verify that it runs the software it should be running (the software is not compromised). Or if you are running something similar to Apple's Private Compute Cloud to run models, users can verify that it is running the privacy-preserving image that it is claiming to be running.

There are also bad forms of remote attestation (like Google's variant that helps them let banks block you if you are running an alt-os). Those suck and should be rejected.

Edit: bri3d described what I mean better here: https://news.ycombinator.com/item?id=46785123

Reply View 2 replies
  • direwolf20 5 days ago

    I agree that DRM feels good when you're the one controlling it.

    Reply View 0 replies
  • egorfine 4 days ago

    > There are genuine positive applications for remote attestation

    No doubt. Fully agree with you on that. However Intel ME will make sure no system is truly secure and server vendors do add their mandatory own backdoors on top of that (iLO for HP, etc).

    Having said that, we must face the reality: this is not being built for you to secure your servers.

    Reply View 0 replies
youarentrightjr 5 days ago

> Remote attestation is literally a form of DRM

Let's say I accept this statement.

What makes you think trusted boot == remote attestation?

Reply View 6 replies
  • direwolf20 5 days ago

    Trusted boot is literally a form of DRM. A different one than remote attestation.

    Reply View 5 replies
    • youarentrightjr 5 days ago

      > Trusted boot is literally a form of DRM. A different one than remote attestation.

      No, it's not. (And for that matter, neither is remote attestation)

      You're conflating the technology with the use.

      I believe that you have only thought about these technologies as they pertain to DRM, now I'm here to tell you there are other valid use cases.

      Or maybe your definition of "DRM" is so broad that it includes me setting up my own trusted boot chain on my own hardware? I don't really think that's a productive definition.

      Reply View 4 replies
      • yencabulator 5 days ago

        It's possible to not implement remote attestation even when you implement secure boot.

        This company is explicitly all about implementing remote attestation (which is a form of DRM):

        https://amutable.com/events

        > Remote Attestation of Imutable Operating Systems built on systemd

        > Lennart Poettering

        Reply View 3 replies