No, it's you who are mixing it up.

Secure Boot is OS signature check and has a signature database and infrastructure to add and update the keys.

Boot Guard is board firmware signature checks with key fused in hardware https://github.com/corna/me_cleaner/...tel-Boot-Guard and is enforced by Intel ME when it is initializing the board.

You answered my statement of x86 UEFI does not impose any Secure Boot restriction with Maybe not at the OS level (yet, for the most part, etc.) but certainly it does impose severe restrictions on what the machine "owner" can do to the rest of the firmware stack.


Secure Boot does exactly nothing to restrict access to the firmware stack. It is simply a OS signature checking before boot.

What the fuck are you talking about. The vendor's Boot Guard key is fused permanently in the chipset, no update is possible.

You can update the board firmware if it is signed, but you can't change the key used to check the firmware, you can only desolder the chipset and replace it with a "new" one that has no such key fused in.

Just saw this in my old notifications.

You seem to be confusing the early signature checks (Boot Guard / ME signature checks) with the OS loader stage signature checks. The former means you have to trust the entire firmware stack implicitly on x86 systems.

Hint: even the *vendor* doesn't trust that stack implicitly. That's why it's updateable.

Oh god this is why I hate you. You always need to spindoctor stuff.

Umm... no? Intel Boot Guard or its AMD equivalent (what actually prevent the owner from changing the firmware) are unrelated to Secure Boot or even UEFI, as they are hardware features (enforced by ME or PSP or fused signature in the chipset).

This is a problem with all signed board firmwares (i.e. not replaceable by the end user), and is unrelated to the availability or not of a "secure boot" implementation, and I'm tired of you posting bullshit goddamnit.

Even BIOS could be updated to just check the checksum of Windows's MBR code before executing it, so it would execute ONLY windows bootloader. (Some BIOSes had "boot sector virus check" feature that was able to block writes to or rewrite the MBR, for example)

Actually the whole Secure Boot system in UEFI is specifically designed around having the user and OEM add his keys.
It is designed around signature database and not just static hashes, because it's supposed to let the user/OEM add their keys to system database.
It makes no sense to even care about keys and signing shit if you are just booting the same bootloader over and over, a hard-coded checksum is enough.

Maybe not at the OS level (yet, for the most part, etc.) but certainly it does impose severe restrictions on what the machine "owner" can do to the rest of the firmware stack. Which brings up the (admittedly unlikely, but technically possible) spectre of e.g. a future security update for UEFI removing custom OS support (or requiring a paid annual boot license, etc.). POWER simply doesn't have these problems, which is why I wanted to highlight it above.

Apart from a few devices that suck and can't load custom keys in their database, x86 UEFI does not impose any Secure Boot restriction either.

That said, it's good to see something else than UEFI with modern features every once in a while. Is this a Linuxboot system?

I think I remember that Power servers have their own "smart" bootloader that can do UEFI-like stuff like reading the OS kernel from a partition but it's not Linux-based.

Should note that since the entire boot flow is owner controlled on Raptor POWER products, even when fully implemented this won't impose Secure Boot restrictions on users, existing or new. It instead allows the users to impose Secure Boot restrictions on third parties for the hardware they own, from black hat crackers to the very hardware vendors the systems came from.

Typo: