Let's say you have already replaced the proprietary BIOS of your PC with an opensource coreboot firmware, and you are satisfied with the higher security that coreboot gave you. But should we stop there? While you are AFK (away from keyboard), "evil maid" can compromise your PC's boot process so that it leaks the encryption keys on your next boot attempt. How to ensure this won't happen?

Luckily, there's a TrenchBoot project. This flexible cross-platform framework allows you to ensure the boot integrity of your PC - that each step of your boot process was secure - by using the available Root of Trust (RoT) security features to deliver you that confidence.

Thanks to generous funding provided by NLNet foundation, our 3mdeb company has made a widespread contribution to the OSS ecosystem:
coreboot, iPXE, GRUB2, Linux, Xen, NixOS, Yocto, Debian, CHARRA, safeboot and RobotFramework.
For TrenchBoot to be functional, there should be seamless cooperation between these different opensource projects and the implementation of missing features required for this - as well as a working & reliable access to RoT features like D-RTM (Dynamic Root of Trust for Measurement). And 3mdeb did a lot of benevolent work on this front.

You can learn more about TrenchBoot from these in-depth articles on the 3mdeb blog and the archived videos at #trenchboot channel on OSFW Slack. Yes, there's a learning curve, but your efforts will pay off with much higher security of your PC.

Please visit us at TrenchBoot forum on 24th March, 16:00 GMT - https://trenchboot.org/tdf-schedule.html - to learn more about how it works & to understand how to bring it to your systems.