Issue #417 has been reported by Simon Brand.
---------------------------------------- Feature #417: Show platform key on boot when secure boot is enabled https://ticket.coreboot.org/issues/417
* Author: Simon Brand * Status: New * Priority: Normal * Target version: none * Start date: 2022-10-02 * Related links: [0] https://source.android.com/docs/security/features/verifiedboot/boot-flow#loc... [1] https://issuetracker.google.com/issues/217720443 [2] https://source.codeaurora.org/quic/la/abl/tianocore/edk2/tree/QcomModulePkg/... * Affected hardware: All * Affected OS: All but Windows ---------------------------------------- I think it is useful to show the hash of the platform key, if a different platform key than default (Microsoft trusted Platform Key) is the current platform key and secure boot is enabled. It must be shown, before the operating system could have been started (to avoid the OS showing it with an older UEFI, which lacks this feature), also it makes sense to pause the screen, so you can verify the hash.
Why? To make sure the correct operation system is loading and nobody tampered the devices platform key and disk.
Android smartphones have this feature for several years. [0] Please keep in mind, that the screenshots are not fully up-to-date, devices show not only the first 8 digits, but the full root of trust hash since a few months. [1] The reference source code is available here: [2]
Issue #417 has been updated by Matt DeVillier.
secure boot? Do you mean Verified Boot?
coreboot does not implement UEFI secure Boot (as it's not UEFI) nor are any Microsoft keys present anywhere in a coreboot firmware image.
If this is related to UEFI secure boot, then the proper place for this feature would be in edk2, not coreboot.
---------------------------------------- Feature #417: Show platform key on boot when secure boot is enabled https://ticket.coreboot.org/issues/417#change-1098
* Author: Simon Brand * Status: New * Priority: Normal * Target version: none * Start date: 2022-10-02 * Related links: [0] https://source.android.com/docs/security/features/verifiedboot/boot-flow#loc... [1] https://issuetracker.google.com/issues/217720443 [2] https://source.codeaurora.org/quic/la/abl/tianocore/edk2/tree/QcomModulePkg/... * Affected hardware: All * Affected OS: All but Windows ---------------------------------------- I think it is useful to show the hash of the platform key, if a different platform key than default (Microsoft trusted Platform Key) is the current platform key and secure boot is enabled. It must be shown, before the operating system could have been started (to avoid the OS showing it with an older UEFI, which lacks this feature), also it makes sense to pause the screen, so you can verify the hash.
Why? To make sure the correct operation system is loading and nobody tampered the devices platform key and disk.
Android smartphones have this feature for several years. [0] Please keep in mind, that the screenshots are not fully up-to-date, devices show not only the first 8 digits, but the full root of trust hash since a few months. [1] The reference source code is available here: [2]
Issue #417 has been updated by Simon Brand.
@Matt DeVillier: Yes, thank you very much. I am referring to Verified Boot. I can't set the status to close, how can I close this then?
---------------------------------------- Feature #417: Show platform key on boot when secure boot is enabled https://ticket.coreboot.org/issues/417#change-1099
* Author: Simon Brand * Status: New * Priority: Normal * Target version: none * Start date: 2022-10-02 * Related links: [0] https://source.android.com/docs/security/features/verifiedboot/boot-flow#loc... [1] https://issuetracker.google.com/issues/217720443 [2] https://source.codeaurora.org/quic/la/abl/tianocore/edk2/tree/QcomModulePkg/... * Affected hardware: All * Affected OS: All but Windows ---------------------------------------- I think it is useful to show the hash of the platform key, if a different platform key than default (Microsoft trusted Platform Key) is the current platform key and secure boot is enabled. It must be shown, before the operating system could have been started (to avoid the OS showing it with an older UEFI, which lacks this feature), also it makes sense to pause the screen, so you can verify the hash.
Why? To make sure the correct operation system is loading and nobody tampered the devices platform key and disk.
Android smartphones have this feature for several years. [0] Please keep in mind, that the screenshots are not fully up-to-date, devices show not only the first 8 digits, but the full root of trust hash since a few months. [1] The reference source code is available here: [2]