Apple has made the iMac Pro available to order, but since we already know all the details about its specifications, there’s one particular aspect I’d like to focus on: the iMac Pro contains new Apple-developed silicon. It’s called the T2, and as described by Cabel Sasser:
The iMac Pro features new apple custom silicon: the T2 chip. It integrates previously discrete components, like the SMC, ISP for the camera, audio control, SSD control… plus a secure enclave, and a hardware encryption engine. This new chip means storage encryption keys pass from the secure enclave to the hardware encryption engine in-chip – your key never leaves the chip. And, they it allows for hardware verification of OS, kernel, boot loader, firmware, etc. (This can be disabled…)
The screenshot he posted shows what the hardware verification dialog for things like the operating system and bootloader looks like. As long as we can turn security measures like this off – as we can on, e.g., Chromebooks – this is a good development. Now all we have to do is hope these companies don’t abuse this kind of technology.
We can hope.
This seems like it’s designed to end hackintosh.
Maybe that’s okay – High Sierra runs like crap anyway. It may be time to switch back to Windows (or Ubuntu)…
Edited 2017-12-12 22:58 UTC
Yosemite was the last decent version of MacOs. After that it got worse all the time. That on top of ridiculously expensive hardware. Farewell Macs, it was good while it lasted. Windows 10 is the best Microsoft OS so far, IMHO.
Surely you mean Snow Leopard
And Tiger is the best looking Mac OS X.
You mean Snow Leopard.
I don’t follow. Why would you make a hackintosh on one of these, seeing as it’s a genuine Macintosh machine? Apple can’t require the presence of the T2 chip in MacOS since this will currently be the only machine with it and there will be many older Macs in use for years to come. Hackintosh seems safe enough, if you want to bother with it.
I didn’t explain well – the hardware described here can be used to secure a key and then the OS written to require description of through that key/hardware. It seems designed to lock macOS to Apple hardware, which would make hackintosh impractical.
Edited 2017-12-13 14:07 UTC
I doubt it. As I said, this is the only Mac with this chip. While it is conceivable that in perhaps ten years they could enforce this requirement, at the moment they cannot because it would lock MacOS out of all other Apple machines as well. By the time they could use this as a anti-Hackintosh mechanism, the landscape is likely to look quite different in terms of the options available. Heck, if Apple doesn’t pull their act together on MacOS soon (or kills it off deliberately) there may not even be a need for a Hackintosh by the time they could use this as a lock.
I think the point is that all they’d need to do is put the chip into the newer macs for the next few years, then they can say ‘anything older than 2017 will not get the upgrade to macOS blah.x’
So yeah, death of Hackintoshes in… I’d guess probably 2020? By then they can just claim that 3 year old macs won’t work with the latest version of the OS. It’s not like they haven’t done this many times before.
It’s probably to prevent installing Linux on unsupported “old” (eg perfectly good 5 year old machines) to extend their life.
I’m typing this on a 2007 Macbook running Xubuntu. There is essentially no modern MacOS software that will run on Snow Leopard
There is a missing option here, owners should be able to specify their own keys such that they can run 3rd party software securely without selecting “no security” and giving up bootloader protection entirely. As it stands, the security feature appears to be designed to unnecessarily treat all 3rd party platforms as second class citizens.
There is a missing option here, owners should be able to own the hardware they bought.
Kochise,
Of course. The point I always try to make regarding security features is that they can be good but they need to be designed to empower the owners and often times they fall short as seems to be the case here.
Unfortunately the trend is towards security measures that protect the vendors’ interests against owner modification. Despite the shortcomings of apple’s implementation, at least for now the owner appears to be able to disable it. However it may not be the case in the future.
Hypothetically if apple and microsoft locked owners out of secure boot, that’d be close to 100% of new consumer computers that would no longer be able to boot alternatives. We’re obviously not there today, but all the building blocks are in place, and with a government that believes powerful corporations can do no evil, I have a lot of concern that corporations could actually get away with locking down all computers.
When Trusted Platform Module came out, it was “proof” that Microsoft would block Linux from running on new PCs …nothing came out of these predictions, and in fact TPM is used to probably biggest lenghts by Linux PCs – Chromebooks.
BTW, can you install Windows on a Chromebook?
Also, in many places that would NOT be “close to 100% of new consumer computers that would no longer be able to boot alternatives” – I go to ceneo.pl (probably largest local shops/offers comparisons site), choose “Laptops” and see that there are now over 1200 offers (out of ~6000 total) with “no OS” which have to be unlocked… (vast majority of them end up with pirated Windows, but that’s another issue… few years ago the manufacturers kept appearances of distancing themselvelves from encouraging piracy – those laptops shipped with “Linux” …often only a Knoppix DVD thrown into the box)
zima,
My understanding of TPM is that it was never actually capable of blocking alternative operating systems, rather it provided secure attestation and secure keystore primitives. To me having these primitives isn’t that controversial, so long as the features are available to all platforms and we’re not forced to use them. It’s quite a bit different from something like secure boot.
A bit O/T, but an interesting side note is that TPM secure attestation only works remotely. Consider what happens if a hacker loads up a hacked bootloader. This bootloader will not pass TPM’s attestation checks, however since the hacker has control over the OS being loaded, he is nevertheless able to alter it into thinking that it has passed, this hack can be repeated for each chain of the link. This is why TPM attestation cannot be used (or is not very effective) for local security.
Attestation is used to prove the state of a remote system. The hacker cannot fake a signature from the TPM unit (ignoring the possibility of bugs). In practice, even though you can prove every bit of software running on it if you need to, there are so many variables across normal user installations that the problem becomes finding a way to prove those configurations are secure.
Consider what would happen if a bank created a TPM aware service and applied a blacklist for any software/drivers that it didn’t know about. Well, tons of customers would end up being denied service because they’re using different hardware/software (ie, we don’t recognize your scanner driver). The bank has two logical choices: allow the configuration or deny it, but there’s no realistic scenario where they’d have the resources to actually check whether these configurations are technically secure and if you start introducing unknowns into the TMP security approved database, then it increases not only the denial of service against legitimate machines but also the chances of compromised software&drivers making it onto the approved list.
So unless one runs a large number of highly standardized installations, TPM attestation is sort of impractical. A scenario I think TPM is good for would be checking the state of company provided laptops prior to granting them remote access to the enterprise network. Although on systems that I own rather than the employer, I’d prefer not to have to validate my system to them.
Edited 2017-12-16 01:50 UTC
Perhaps, but the hysteria about the possibility of blocking alternative OS was real…
zima,
I don’t remember too much hysteria around TPM specifically, but maybe I ignored it, haha. Secure boot was a different matter though. I do remember the outcry surrounding the CPUID serial number feature that uniquely identified CPUs starting (and ending) with intel’s pentium 3.
Edited 2017-12-17 00:32 UTC
Hm, or maybe I just hung out on Slashdot too much back when TPM was introduced…
with a Xeon application accelerator bolted on the side.
Well, perhaps not this time around, but it could easily go that way. Long ago I used a Sony NEWS 3860 (http://katsu.watanabe.name/doc/sonynews/model.html) the “MIPS” CPU versions were a MIPS-R3000 processor card that was effectively added to their previous 68030 motherboard, which was still used to run all of the device drivers and most of the OS. Worked _really_ well!
Till tomorrow
$5,000 USD isn’t actually bad, considering what you get, plus a monitor. I’d be hard-pressed to find anything much less on the price scale if we’re talking about workstation-grade hardware when you figure in the package. I was expecting Apple to charge an off-the-wall price, but am pleasantly surprised. Of course, the real question is, how long will they last and just how hard will they be to repair? That will probably be the area where these fall short, since if one spends five grand on a workstation one would expect to keep that workstation for at least five years.