Nico Huber wrote:
if the system integrator has enabled BootGuard in the "wrong" way then the signature verification is intended to make it impossible to install coreboot onto the system.
This seems a bit misleading. BootGuard is independent of the flash chip and write access to it.
You're of course correct. I didn't express my point very well.
I wanted to make clear that, as you write, BootGuard is intended to disallow any firmware other than from the integrator, and bar some bug in chipset lockdown or SMM it can be expected to indeed be effective.
BootGuard itself doesn't control flash write access, but its idea is contrary toleaving the flash chip accessible e.g. by flashrom, and by now I think it's fair to expect that machines using BootGuard will also lock down flash write access such that only correctly (as decided by the manufacturer) signed firmware can be flashed in a running system.
Whether BootGuard allows a foreign firmware to boot is the next hurdle, and if no then no soldering iron helps.
I second Nico: Do everyone a favour and buy hardware actually designed for coreboot if you want coreboot. :)
//Peter