> Can we completely replace UEFI w/o any signatures ?

You addressed the right crowd. Coreboot.

> And what about ME ? I've read that the cpu itself verifies the
> signature of ME firmware, so we cant completely replace it.

As I said/wrote, previously. And Igor confirms my thoughts:

IgorS>> Yes, unless your PC uses Boot Guard (so far it's been only enabled in

IgorS>> a small percentage of enterprise laptops because it ties together CPU and PCH -
IgorS>> you can't replace one without having to replace the other). Without

IgorS>> Boot Guard active, the CPU will execute whatever you place in the flash, and it's

IgorS>> up to you whether to implement signing checks or not.

Thank you, Igor, for chime-in/participating! :-)

Zoran

_______

On Thu, Nov 30, 2017 at 6:54 PM, Enrico Weigelt, metux IT consult <info@metux.net> wrote:

On 30.11.2017 07:40, Zoran Stojsavljevic wrote:

You can fully use UEFI BIOS without any signatures. With so-called slim TXE engine.

Can we completely replace UEFI w/o any signatures ?

And what about ME ? I've read that the cpu itself verifies the
signature of ME firmware, so we cant completely replace it.
If it would be possible to read out the privkey or burn in another
one, that blockade would be fallen.

--mtx

--
Enrico Weigelt, metux IT consult
Free software and Linux embedded engineering
info@metux.net -- +49-151-27565287