By making it immutable out of the box, VAC enforcement because vastly easier and third-party multiplayer anti-cheating kernel rootkits are replaced by “attest that you are unmodified”, which Steam Linux and macOS/tvOS/iOS/iPadOS can do — but not Windows 10/11, because sealed boot functionality is behind Microsoft’s enterprise annual subscription fee paywall. This positions Steam Linux as the monopoly provider of console-gaming Linux, since no one else is doing sealed attestation Linux at scale, and opens the door for multiplayer AAA games to target Steam Linux for their day-one releases as a competitive equal to Xbox/PS5/Switch and as a better defended console platform than Windows PCs. The modifications described by OP are still possible, but won’t be compatible with multiplayer anti-cheating enforcement, which is perfectly fine; boot to sealed for competitive gaming, boot to custom for single player, everyone wins except Microsoft’s Windows division. (If Microsoft hadn’t shot off their foot with Windows 10, they could have simply enabled sealed booting for all 10/11 installations and remained competitive as a gaming platform, but I think they’re done with that business.) Nice to see my predictions pan out and I look forward to buying one :)
Immutability doesn't provide this on it's own. You can load any custom immutable image you want. What game devs want is full boot chain attestation where every part of the OS is measured and verified untampered with, and then to load their own spyware at the highest level.
The only way immutability helps here is you could have two OS images, the users own customisable one, and a clean one. Then when you try to load an anti cheat game, the console could in theory reboot in to the clean one, and pass all the verification checks to load the game.
I am, indeed, assuming that their immutable image can generate attestations chained appropriately. If not, it’s a catastrophic business error on their part to put in all that work, and I don’t consider that degree of failure likely. Definitely curious to see if they can enable the chain on existing Steamdecks or not.
Immutable images provide many benefits that are unrelated to DRM. The main one being that the entire fleet of Steam Decks/Machines are all in a known state. Updates are a matter of pushing a new OS image, you don't have to worry about migrating files, conflicting configurations, strange user changes. And if an update fails, the bootloader shows a screen where you can boot a previous OS image that worked.
It's like docker images for the whole OS. As far as I can tell, the Steam Deck does not have secure boot or any kind of attestation enabled. They have been very forward in marketing it as an open and free system you can do anything on. The hardware does have a TPM that is seemingly unused currently, not sure if it supports some form of secure boot.
> They have been very forward in marketing it as an open and free system you can do anything on.
Attested sealed images and Open and Free systems have no conflict with each other. Mod it all you want; sure, it’ll generate a different attestation than the shipping sealed image, or if your customizations turn off attestations and/or secure boot, none at all. You do you! Source code releases will never include the private key used to sign them, just as with all open source today, so either the OS’s attestation will be signed by Valve or by you or by someone else. It takes me about sixty seconds to add my own signing key to my PC BIOS today and it would not surprise me to find Valve’s BIOS implements the same, as I’m pretty certain this is basic off-the-shelf functionality on Zen4/Zen5. But, regardless, Free/Open Source is wholly unconcerned by whose release signing key is used; otherwise it wouldn’t be Free/Open! The decision to care about whose release signature is live right now is the gaming server’s decision, not Steam Linux’s, and that decision is not restricted by any OSS-approved license that I’m aware of.
Secure boot attestations plus sealed images do enable “unmodified Valve Linux release” checks to be performed by multiplayer game servers, without needing the user to be locked out of making changes at all. This is already demonstrated in macOS today with e.g. Wallet’s Apple Pay support; you can disable and mod the OS as much as you wish, and certain server features whose attestation requirements require an Apple release signature on the booted OS will suspend themselves when the attestation doesn’t match. When you’re ready to use those servers, you secure boot to an OEM sealed environment and they resume working immediately. This is live, today, on every Apple Silicon (and T2 chipped Intel) device worldwide, and has been available for developers to use for years.
Attestations are, similarly, already available on all AMD devices with a TPM today, so long as the BIOS to OS chain implements Secure Boot — not requires, but implements, as there’s no reason to deny users unsigned OS booting once you’re checking attestation signatures server-side. As you note, it remains to be seen if the Steam Box will make use of it. If they do, it coexists just fine with full reputposability and modifiable, because you can do whatever you like with the device — and, correspondingly, each game may choose to require an unmodified environment to ensure a level playing field without kernel or OS modifications.
It would be a lost opportunity for them if they were not the first fully open OS with a fully secure multiplayer environment that prohibits both third-party cheating mods and third-party DRM rootkits. VAC becomes as simple as a sysctl, and patches are still welcome. Open source for the win, and one step further towards the Linux desktop finally overtaking residential Windows, and thr ability to play console-grade multiplayer without the proliferation of on-device software-only hacks? Yes, please.
(Note that manufacturers who use Secure Boot to lock out device modifications are not in-scope here; that choice has no effect on attestations. Secure Boot is “the OS booted had this checksum and signature” with HSM backing, so that the software can’t lie. It is extremely unlikely that Valve would demand that the OS booted be signed by Valve. That would be no different than Xbox/PS5/Switch, and they’d be leaving a massive competitive advantage over tvOS on the table: device repurposeability.)
Yes, but that works just as readily on consoles as it does PCs, so it doesn’t affect immutable Steam any more or less than any other gaming steam. Sealed protections are still valuable regardless!
It affects console too, but watch game publishers disable linux support, blaming cheaters while producing graphs that don't support their arguments. While console packs and cheats are rampant, and their game servers even being hacked during competition.
If the status quo doesn’t change, then you’ll be right to have claimed here that the status quo you’ve described won’t change. But that would be worse for all of us. Besides, Linux is an excellent platform for modding games in realtime, no matter what their charts show — so certainly the sealed-attestation stuff would deny them a plausible reason to deny Linux. If Microsoft offered sealed Windows for free, they’d deny unsealed Windows as fast as humanly possible, just to stem the tide of software cheating. The next couple years will be very interesting :)
I totally agree with you, and I hope the status quo will change. But I'm still skeptical after the Steam Deck success where many games enabled anti cheat, but some did roll back like I said previously.
Attestation could help, but I'm not sure if it goes in the spirit of what Valve tries to do with their OS. The system is open and you can easily access the desktop (it's a first party feature) and thus do what you want. Maybe with a separate verified boot state without desktop but the user experience would not be great.
And in the end, like you said, they'd run to only support sealed attested systems if they could. But cheats have evolved past being run on the computer running the game. Some use DMA or are in between the keyboard/mouse and the usb port. Consoles also have their fair share of cheaters. None of those would be solved by attestation.
Valve has shown recently that it's possible to fight cheaters without kernel AC or attestation. It's just a bit more difficult and intensive so other AC providers won't go the same route.
For good reason, anticheat on linux are basically useless. Not that cheating isn't rampant on other platforms, but you don't have to leave the door open on purpose.
Not really. On linux you can just load your cheat as a kernel module and its undetectable by userspace anticheat.
On windows with kernel anti cheat you would need to find some vulnerable driver, sign your own driver, or use external cheats like DMA or vision based. This funnels cheat devs into using a few methods that anti cheat devs can focus on for detection. Is it perfect? Clearly not as there's plenty of cheaters anyway. But its much more effective than what these anti cheats can do on linux.
Precisely. And this is where secure boot + attestation comes in: making Linux able to prove itself as unmodded to the server, makes it a possible target for multiplayer game developers.
