Feature #417
openShow platform key on boot when secure boot is enabled
0%
Description
I think it is useful to show the hash of the platform key, if a different platform key than default (Microsoft trusted Platform Key) is the current platform key and secure boot is enabled. It must be shown, before the operating system could have been started (to avoid the OS showing it with an older UEFI, which lacks this feature), also it makes sense to pause the screen, so you can verify the hash.
Why?
To make sure the correct operation system is loading and nobody tampered the devices platform key and disk.
Android smartphones have this feature for several years. [0]
Please keep in mind, that the screenshots are not fully up-to-date, devices show not only the first 8 digits, but the full root of trust hash since a few months. [1]
The reference source code is available here: [2]
Related links
[0] https://source.android.com/docs/security/features/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust
[1] https://issuetracker.google.com/issues/217720443
[2] https://source.codeaurora.org/quic/la/abl/tianocore/edk2/tree/QcomModulePkg/Library/BootLib/VerifiedBootMenu.c?h=LA.UM.8.9.1.r1-03800-QCS610.0&id=8e06dfd3ceeb323546d330e918d19c542d2daee2#n340