On Wed, Jun 27, 2018 at 9:15 AM chrisglowaki@tutanota.com wrote:
Please correct me if I'm wrong, but I think LinuxBoot doesn't give the same security as coreboot+FSP because it leaves the firmware vendor and board manufacturer in the trust equation. With the FSP we only have to trust Intel.
you're right for some boards, but not all boards.
Our goal for some platforms is to have just the SEC and PEI as delivered from the chipset vendor, and then DXEs compiled from source, then linuxboot. We'd like to remove the firmware vendor and board manufacturer from the trust equation -- and, interestingly, many board vendors we talk to also want that very same thing.
We're not there yet, but getting closer all the time. And it's moving fast.
ron