Feature #417
openShow platform key on boot when secure boot is enabled
0%
Description
I think it is useful to show the hash of the platform key, if a different platform key than default (Microsoft trusted Platform Key) is the current platform key and secure boot is enabled. It must be shown, before the operating system could have been started (to avoid the OS showing it with an older UEFI, which lacks this feature), also it makes sense to pause the screen, so you can verify the hash.
Why?
To make sure the correct operation system is loading and nobody tampered the devices platform key and disk.
Android smartphones have this feature for several years. [0]
Please keep in mind, that the screenshots are not fully up-to-date, devices show not only the first 8 digits, but the full root of trust hash since a few months. [1]
The reference source code is available here: [2]
Related links
[0] https://source.android.com/docs/security/features/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust
[1] https://issuetracker.google.com/issues/217720443
[2] https://source.codeaurora.org/quic/la/abl/tianocore/edk2/tree/QcomModulePkg/Library/BootLib/VerifiedBootMenu.c?h=LA.UM.8.9.1.r1-03800-QCS610.0&id=8e06dfd3ceeb323546d330e918d19c542d2daee2#n340
Updated by Matt DeVillier over 1 year ago
secure boot? Do you mean Verified Boot?
coreboot does not implement UEFI secure Boot (as it's not UEFI) nor are any Microsoft keys present anywhere in a coreboot firmware image.
If this is related to UEFI secure boot, then the proper place for this feature would be in edk2, not coreboot.
Updated by Simon Brand over 1 year ago
@Matt DeVillier: Yes, thank you very much. I am referring to Verified Boot. I can't set the status to close, how can I close this then?