Wouldn't any opportunity to run your own code in the kernel be worthy of a bug bounty?
Are the protections nowhere near as strong as intended?
So a rootkit needs to worry about PatchGuard, but if you only want to run code at kernel level, you generally don't.
If you're interested in running kernel code on your own device, it's simpler to just write your own driver.
How about "modify" or "customise"? No, because that wouldn't fit their authoritarian narrative.
> MS wants to take control away from users and owners, so uses such language.
I wanted to clarify this issue in logner detail but obviously outside of enterprise settings (which the owner does not trust the user).
Now, I'm writing to HN here, which really likes its freedoms (and I also want it). But the general pattern nowadays is that people value the consistency over customisability. The success of locked-down iPhone and Android is a great example: sure some users wants to run other software on the device but the simple truth is vast majority of users prefers to trust Apple or Google to do their job properly as their main goal is not to run a computer but rather to do their own business (similar to how a company often contracts its electricity, water, network connectivity, waste management and others).
On a similar vein, the newer versions of Windows will run with the secure boot option enabled (which will ensure that the system is as intended by Microsoft). Again, some people wants the system to be easily modifiable, and in that case there are ways to lower the guardrails to allow you to a certain extent. But the vast majority of users trusts Microsoft to manage the system and let them just do work.
TLDR: Some users view a computer as something to tinker upon but most users see it as a tool to be used.
It's the example that everybody uses, but because of the nature of vertical integration and the network effect, you can't use popularity as an indication that people actually want any given individual aspect of those products.
Suppose it's 2010 and you need an app that only exists on iPhone. Well, you might not like that it's locked down, but you need that app. Then once you've had one for three years you're locked into their ecosystem indefinitely.
It's also a trap. When the lockdown first comes, they say they're just using it to exclude malware and other things you actually don't want. You have to get your apps signed, but they sign all the ones you care about, so what does it matter?
Only after mobile platforms that don't do this have reached negligible market share and have no network effect do they start excluding apps you might actually want. But by then it's too late.
Personally, I value both. I want all the modern so-called 'tamper proof' features that an OS has, but I also want myself to be in control of all of them. I am fine with switching them on so that only signed code is executed and let the OS maker handle certificate revocation and all that. But if I want to use it as a dev box, I also want the option to turn it off.
Ditto for customization - I want the ability to tweak and change tuning/configuration parameters for performance reasons, for productivity reasons, for aesthetic reasons, but I also want a 'force defaults' and/or disable customizations option for when I'm setting up the computer for a family member, etc.