> You can satisfy "do not betray the owner" and "have full freedom" with an architecture where the owner gets a password/key that unlocks management functions or BIOS reconfiguration, and physical access (short of desoldering) is insufficient to access those functions.
The problem with this model is that it destroys freedom as soon as the user isn't the owner. That is somewhat what corporate IT departments are looking for, but it's even more problematic when a person goes to the store and brings home a device that some corporation has already appointed itself "owner" of. In other words, the third model devolves into the first.
And it doesn't really buy you anything. If you use FDE and erase the decryption key from memory when not using the computer then you don't need hardware to protect your data, math is already protecting it. Past that you can only want to prevent compromise of the boot loader, but in that case detection is just as good as prevention which makes prevention an unnecessary evil.
And lab environments don't need this either. There you put padlocks on the computers after setting the flash write protect jumper, don't even install hard drives in them and boot from the network. It's the same situation -- detection is more important than prevention. Someone can cut the lock but then you know that computer is compromised.
The problem with this model is that it destroys freedom as soon as the user isn't the owner. That is somewhat what corporate IT departments are looking for, but it's even more problematic when a person goes to the store and brings home a device that some corporation has already appointed itself "owner" of. In other words, the third model devolves into the first.
And it doesn't really buy you anything. If you use FDE and erase the decryption key from memory when not using the computer then you don't need hardware to protect your data, math is already protecting it. Past that you can only want to prevent compromise of the boot loader, but in that case detection is just as good as prevention which makes prevention an unnecessary evil.
And lab environments don't need this either. There you put padlocks on the computers after setting the flash write protect jumper, don't even install hard drives in them and boot from the network. It's the same situation -- detection is more important than prevention. Someone can cut the lock but then you know that computer is compromised.