On 2024-03-15 22:24, mr gadha via coreboot wrote:
Are there any known tools for decoding the BootGuard policy?
I’m new to coreboot but have a system that I was interested in investigating adding support for it.
Hello! Welcome to coreboot! We look forward to any future contributions from you. There is the util/intelmetool utility in coreboot's source, which has a -b flag which is supposed to indicate the bootguard status. There's also some instructions for using it here: https://felixsinger.github.io/bootguard-status/
There's also a tool called MEInfo, which is an official tool from Intel and thus should be the most reliably accurate way of determining the BootGuard configuration. It is not supposed to be publicly available, but may or may not be possible to find on the internet anyway ;).
By the way, which system are you looking into?
The flash image has BootGuard signatures, but at least some parts of the UEFI area of the flash are modifiable (variables, logo, etc). I’m wondering if the DXE area is even protected at all…
Or does one just abandon any attempt as soon as a BootGuard header is seen?
The presence of BootGuard signatures in the ROM does not necessarily mean BootGuard is actually enabled in the chipset, so no need to abandon an attempt immediately upon seeing that.
Cheers, Nicholas