Quoting Stefan Reinauer stepan@coresystems.de:
The opposite is the case. LinuxBIOS is the _only_ chance out there that allows controlling the restrictions. It does not restrict the vendor in controlling the "bootblock" -- Since there is no such thing as the bootblock in LinuxBIOSv2, I wonder what the technical meaning of that part of the specification is supposed to be.
The boot block is the "core root of trust for measurements", i.e. it is supposed to do integrity measurement on the next module in the bootchain (that would be LinuxBIOS in this scheme..). This "measurement" (an integrity hash like SHA1) would be stored in one of the protected registers of the TPM. Now a question arises : would the "bootblock" transfer the control to LinuxBIOS if the hash does not match a value "hardwired" by the manufacturer? (the decision will be taken by the CRTM (the bootblock) not by the TPM which is (for the moment) passive) Indeed, I agree, this scheme does not preclude the use of LinuxBIOS .. as a step 2 into the boot chain, but what will happen when one will need to upgrade/update the installed version of LinuxBIOS? In other words, no one other that the manufacturer will be able to install LinuxBIOS and IMHO we will unfortunately lose a great advantage of LinuxBIOS which is his flexibility/customizability..
Florentin