Sounds like a good thing, right? Except “Browser Trusted” means $$$ and corporate control. Sure, we have Letsencrypt; yes, they give that away for free, but it’s still based on the same commercial model.
Of course encryption is a good thing and I don’t mean to suggest we should drop that!
But, one is the internet, the other is your personal property. And the people pushing for that don’t want to make home/mobile computing safer (we already do that thankyouverymuch), they want to have control over what you can run on your phones. Baked right into the hardware, I’m guessing.
It’s like saying “put on safety belts even while walking, even in your home” - oh and they must be from one of 3 brands.
WRT banking apps (always seems to come up) -
try if the web UI doesn’t work for you. That’s why we have these large, bloated, but perfectly cross-platform browsers. And yes, that’s a sore topic on SFOS, you might have to install one via appsupport.
if they insist on pushing usually tracker-ridden apps on you, why not change banks? I did this recently and while it wasn’t pleasant, it wasn’t hard either and did not cost me anything.
To being complete honest here, Jolla has proprietary components in the SailfishOS…. You sounds someone who want to be in full control and I have heard that maybe PMOS could be for you? What Jolla has messaged, they try to provide true alternative to duopoly and that includes a little bit wider audience
As many Sailors may know, important purposes of IT security technology lie in the protection from threats and in the provision of trust.
A TEE is a Technology that is standardized in Specifications that are publicly available. A TEE protects from threats, that’s why it is required by some apps, i.e. apps for authentication, banking, 2FA, security token, government ID.
A TEE provides trust, usually initially set by a manufacturer. This manufacturer has to inject root keys in the production process of the device. So why not let Jolla provide the trust for an open source Linux TEE on a SFOS platform, i.e. the J2?
AFAIU* the bank would then have to explicitely trust Jollyboys, which, analogous to the SSL certificates I brought up earlier, is a question of giving money to some “trusted” 3rd party provider.
Without that it’s just protected OS memory, which I believe Linux already has.
Look at cacert.org for an example of how it could look without giving $$$ to some big “trusted” provider. Never heard of them? Exactly.
Yes, I am mistrustful of such approaches, and for good reason & experience over the years. Look what Google/Android/Alphabet alone did with “safe, trusted and secure”. The technology behind it might be sound (or not); the problem is with who pushes it, and to what end.
Dismissing my opinion with “hackers for all kumbaya phone” is, IMO, just as insulting as any direct insult.
* I could be wrong; better explanations are welcome.
It’s not a question of ‘letting’ anyone do anything. To incorporate a TEE, and OP-TEE is arm only, requires a hardware design decision. And, generally, you won’t make that, the SOC manufacturer will make that decision for you because they have gone some distance to ensure you get performance. I don’t konw what that will cost, but the decision THEN ripples through the whole ecosystem and will increase costs and introduce obstacles.
Having looked a number of specs now, I’m not convinced. It’s another moat. In Germany that kind of approach has led to manufacturers gouging the state (via Doctors offices) by baking certs into the system and claiming, oh, need to upgrade the hardware. As soon as you introduce this kind of mechanism, in the interests of ‘security’, the grifters will come calling.
I really don’t understand why I can do banking with nothing more than SLL and a second factor (I have dedicated devices for that) just fine but NOT on a phone. That’s irrational.
I use the German tax authorities system, Elster. They provide keys to end users as a second facor. They rotate those at intervals. Those are clearly tied to the original publisher, controlled by them and of utility for me and my security. That works. I can even remove them from a system or add them to a system. Do you see that as making the world less secure?
What are you talking about. Please provide a specific example of a token exchange. This sounds like hot air.
It is ALWAYS the risk of the user. If a co-processor, like a TEE lives on my phone AND someone gets hold of other credentials and phone, I’m cooked. So much for security. People lose phones all the time.
The ‘hardware secure element’ is only as secure as the vendor who can access is. As we have seen all to often, the major vendors get ‘cracked’ all the time.
We can put TEE to extremely low and simple user case, like one things its done in iOS- private key storage.
Now, where do you want your private keys be stored? Or your the passwords? In the filesystem?
If not, the TEE is the only other option in real life. Now there are 3 options:
Lets store private keys in file system, say chmod 400 and be happy
We trust Apple (etc) and have they store everything for us
We have open source TEE where we know how the keys are stored
None of the above. I use external media (ie. usb stick, ssd, etc).
It seems that no one here remembers the ‘clipper chip’. The primary motivations behind TEE are the same as they were then:
Backdoors for the state
DRM (sony music corp)
Plausible deniability for the banks (whose attack surface is elsewhere)
There are legit reasons to want to be able to verify that programs compiled for a platform correspond to an origin that can be audited. For instance, a signed package coming from a build system which directly obtains the sources from a git repository. However, this does not offer a very strong guarantee.
Placing trust in an ‘enclave’ which is effectively controlled by a duopoly of phone vendors and Visa card is even worse. I really don’t understand where the coolaid comes from.
That “clipper chip” is just for you americans. It seems we can only disagree here. If you want to say use FIDO2 stick, go ahead, nothing is stopping you.
But for us who want a secure keystore, that can be audited by trusted European vendors, we do need TEE.
I also would like to emphasize what I said before - this would be TEE you can just turn off.
I am not an American, just old enough. Your definition of ‘Secure’ is very sloppy. Have you looked at any of the number of chips and the corresponding implementations from SOC vendors? There are the IC vendors for the tpm/tee. Then comes the integration. Etc, etc.
The specifications are controlled by an American Company (Visa) and the implementations are variously flawed. Why that should lead to European trust, I do not understand.
‘Just turn it off’. Well, That would very likely mean no android. Fine by me.
You are willfully ignoring the fact that the consortium that controls TEE IS American. What this has to do with ‘locking out’ US companies I do not understand. Among the vendors of ICs, I believe, there is a European (ie. NXP), for what that’s worth.
As have I. And it seems you have not learned from history. That is a shame.
What consortium? There are multiple TEE implementations to choose from.
“locking out” I mean software. I don’t want Google or Apple. Its back end naturally mostly.
I just don’t get why you want to make sure why we cannot have say EU banking, if we want to choose so? Why do you want to have an insecure phone?
Look, its fine if you want to burn software to your phone that has no TEE, no Alien Dalvik etc other evil. I’m fine with that, but don’t deny that from everyone else!
Have you even read this thread: the consortium that controls the standards
Have you read any of the specifications or informed yourself who can actually store (ie. burn credentials into silicon) keys in a TEE? For your purposes, that will mean hard baked attestation for firmware by Google.
Modern industry is interdependent. Even if you don’t like American companies or Chinese ones, you just can’t make modern hardware without them. The organizations controlling the specifications of USB, SPI, I3C are all headquartered in USA. Are we looking for new protocols and connectors now?
Software-wise, Google controls the specification behind AAS and microg. People choose to enable those and use those things depending on their needs. To me, installing SailTube on SFOS is heresy. But I admit that we all have different needs and some people still want to have YouTube or Facebook on a Jolla Phone. Same would happen with TEE, people will use it only if they choose so by installing certain apps.
What’s the trouble with signed firmware? Per se it does not spy on you. It only makes SFOS dependent within the needs of the TEE platform, meaning if Google ceases to provide the signature, or if the user replaces the firmware with a non-signed version, the only consequence is the loss of the TEE functionality.
The only thing I expect from Jolla is if such technologies would be integrated, then an on/off configuration exists. Other than that, the phone should be made to be useful for a variety of use cases.
Sure. I’m not on about America, but a very specific thing. TEE is even less well regulated than TPM (which is ISO). TPM 2.0 which is an MS / Intel first effort is at least managed by the ISO.
The problem is establishing a precedent that favours companies like Sony who have, in the past, use illegal means (backdoors) to enforce DRM.
Extend this to a ‘secure’ boot loader that ONLY runs firmware signed by the usual suspects and you have a device you cannot run without the cooperation of whoever owns the keys. Once used for some subset it will quickly be a case that a display driver will be limited to showing ‘approved’ content. This is already possible and done with DRM for video streams.
I have done secure booting code (Arm, OTP and Trustzone) which is created by first signing and baking (in OTP, it’s a write once area or nvram) the keys used to sign onto the device. This is generally done to protect IP. Rarely does it provide stronger security, as has been shown vis TPM again and again in the past almost 20 years.
All in all, it’s just bad for us and good for them.
