[csdvrx]

If this is the Intel key that's burned on the CPU (or PCH, I forgot) e-fuses, and that manufacturers use to sign their own BIOS and UEFI payloads, do you think this will enable us editing the manufacturer bioses to tweak variables, resign some of their EFI payloads or just remove some of these payloads? (like the ones involved in checking the PCI or USB ids is on an approved whitelist of WWAN and WLAN cards cards)

Like what https://erfur.github.io/2019/03/28/down_the_rabbit_hole_pt3.... could do before BootGuard?

I ask because this would enable a lot more security: I could mod my bios, and add a extras EFI module signed with my key that wouldn't trigger bootguard: then later during the boot, an encrypted grub or whatever could check them, say with a TPM enrolled key having their hashes: this could make the computer refuse to boot further if say the MAC address of the network card (or the CPU serial, or the NVME serial) doesn't match what I added.

Yes, an evil maid attack could do the same to me (by removing these checks I've added and replacing them say by nops), but that would alter their hash.

And if the secure boot payloads signed with my own key first check the existence of these modules, and then verifies that their signature (kept inside my signed payloads matches) my versions (and not the evil maid or the manufacturer original) I'd still get the benefits of secureboot - just with my own keys all the way down.

The it'd be super interesting to have!!