Can we completely replace UEFI w/o any signatures ?
You addressed the right crowd. Coreboot.
And what about ME ? I've read that the cpu itself verifies the signature of ME firmware, so we cant completely replace it.
As I said/wrote, previously. And Igor confirms my thoughts:
IgorS>> Yes, unless your PC uses Boot Guard (so far it's been only enabled in IgorS>> a small percentage of enterprise laptops because it ties together CPU and PCH - IgorS>> you can't replace one without having to replace the other). Without IgorS>> Boot Guard active, the CPU will execute whatever you place in the flash, and it's IgorS>> up to you whether to implement signing checks or not.
Thank you, Igor, for chime-in/participating! :-)
Zoran _______
On Thu, Nov 30, 2017 at 6:54 PM, Enrico Weigelt, metux IT consult < info@metux.net> wrote:
On 30.11.2017 07:40, Zoran Stojsavljevic wrote:
You can fully use UEFI BIOS without any signatures. With so-called slim
TXE engine.
Can we completely replace UEFI w/o any signatures ?
And what about ME ? I've read that the cpu itself verifies the signature of ME firmware, so we cant completely replace it. If it would be possible to read out the privkey or burn in another one, that blockade would be fallen.
--mtx
-- Enrico Weigelt, metux IT consult Free software and Linux embedded engineering info@metux.net -- +49-151-27565287