> Can we completely replace UEFI w/o any signatures ?
You addressed the right crowd. Coreboot.
> And what about ME ? I've read that the cpu itself verifies the
> signature of ME firmware, so we cant completely replace it.
As I said/wrote, previously. And Igor confirms my thoughts:
IgorS>> Yes, unless your PC uses Boot Guard (so far it's been only enabled in
IgorS>> a small percentage of enterprise laptops because it ties together CPU and PCH -
IgorS>> you can't replace one without having to replace the other). Without
IgorS>> Boot Guard active, the CPU will execute whatever you place in the flash, and it's
IgorS>> up to you whether to implement signing checks or not.
Thank you, Igor, for chime-in/participating! :-)
Zoran