[worthless-trash]

You absolutely can sign the kernel with your own keys. This would allow you to boot your machine into the first level kernel without the bootloader.

Is this 'couldn't' a self imposed requirement or a technical one I can't think of ?

[DEADMINCE]

> Is this 'couldn't' a self imposed requirement or a technical one I can't think of ?

Probably not technical. There is another element, obtaining a HDD encryption key from the TPM. The idea that the HDD is encrypted outside of my laptop and nothing can boot on my laptop that isn't my signed OS to read it.

Thinking about it I probably could do everything in the kernel directly - why not? Well, because it would be extra work to write all that, but probably not a technical limitation.

[worthless-trash]

Just to be clear, this is signing for validation not encryption of the contents.

I wrote a guide on this topic of ensure platform integrity of system level (See https://wmealing.github.io/tpm-pcr07.html ) its not too hard.

[DEADMINCE]

> Just to be clear, this is signing for validation

Yup. I was just referencing wanting to obtain keys from the TPM to decrypt a partition. This is useful for me to have the following setup:

- Laptop turned on, no keys pressed, boots into super locked down guest OS.

- Laptop turned on, certain key pressed within 2 seconds, boot into 'hidden' OS.

- In both cases, HDD is encrypted, decrypted automatically via retrieving keys stored in the TPM. This means the harddrive cannot be read outside of that particular laptop, unless keys are extracted from the TPM.

- Bootloader signed with own key, any and all existing keys wiped, so laptop cannot be booted with any external OS.

How would I recreate that setup with nmbl?

That's a good link by the way, thanks - saved.