[bubblethink]

>wouldn't this increase the likelihood of a malicious vendor preinstalling a rootkit ?

Vendors already fuse their keys using bootguard. So if they want to install rootkits, they can do that now. Lenovo already did that with superfish. Bootguard doesn't make any assurances about the quality of the bios. It just says to the consumer that this machine's bios came from the vendor. Sort of like the https padlock.

I think what you mean to ask is how we could ensure the integrity of the boot flow up to the OS without bootguard. It can be done higher up in the stack. Chromebooks do it pretty well. There are other projects like heads that do it as well. Your chain of trust needs to extend into the OS for it to be meaningful.

[ajxs]

The points you make in your post are very valid. My post was made in the context of the Intel ME's wide range of invasive capabilities. If your purpose was to perform surveillance on your customers, the ME would grant you even more reach than BIOS firmware would. You've already addressed the fact that users need to trust the quality of their firmware at face value. This is hard enough already, let alone with hardware vendors being able to access the ME.

Just to clarify ( as if I haven't clarified this enough ), I'm in favor of Intel releasing the keys.