Originally posted by madscientist159
View Post
Secure Boot is OS signature check and has a signature database and infrastructure to add and update the keys.
Boot Guard is board firmware signature checks with key fused in hardware https://github.com/corna/me_cleaner/...tel-Boot-Guard and is enforced by Intel ME when it is initializing the board.
You answered my statement of x86 UEFI does not impose any Secure Boot restriction with Maybe not at the OS level (yet, for the most part, etc.) but certainly it does impose severe restrictions on what the machine "owner" can do to the rest of the firmware stack.
Secure Boot does exactly nothing to restrict access to the firmware stack. It is simply a OS signature checking before boot.
The former means you have to trust the entire firmware stack implicitly on x86 systems.
Hint: even the *vendor* doesn't trust that stack implicitly. That's why it's updateable.
Hint: even the *vendor* doesn't trust that stack implicitly. That's why it's updateable.
You can update the board firmware if it is signed, but you can't change the key used to check the firmware, you can only desolder the chipset and replace it with a "new" one that has no such key fused in.
Leave a comment: