|
|
|
|
|
|
by throwaway7767
3777 days ago
|
|
|
I think we're in agreement then. Intel's system does not meet the criteria I set forth in the post you're replying to (since there is only one key, and it's generated out of the owners control). So that's a bad solution. If there were some way for a physically present user to set a new firmware signing key, that would get the benefit without having to throw out any attempt to secure the boot process. Of course, intel's microcode is not open for scrutiny, so the point is moot there (what would you sign instead?) The linked project states that having no way to lock the boot process is a benefit. I disagree that it's a feature to advertise, because it's possible to implement in such a way that the user retains complete control. Pointing out bad implementations is not a good answer to that. |
|
|