[5d8767c68926]

Are there rules/standards for how these top secret keys are stored? HDCP, Mediavine, keys to the Internet, etc. Sure, you could keep it locked in a Scrooge McDuck security vault, but you need to be able to burn the key into hardware/software, meaning it ultimately needs to be distributed across many machines, greatly increasing the number of people with potential access.

[cperciva]

The public key needs to be in the CPU. The private key is only needed when Intel needs to sign new microcode.

[pabs3]

Isn't this an encryption key not a signing key? There are of course signing keys involved too though.

[cperciva]

There's both. The encryption (decryption) key has leaked. The original question was about "making your own microcode", for which you would need the (not leaked, and unlikely to leak) private signing key.

[leetbulb]

The security of these keys depend on the signing ceremony / ritual involved. Here's an example https://www.youtube.com/watch?v=_yIfMUjv-UU

[exhilaration]

That video deserves its own HN post

[leetbulb]

I agree, although it's been posted a few times already. In searching, I found a nice, and obligatory CloudFlare article on it: https://www.cloudflare.com/dns/dnssec/root-signing-ceremony/