> Can we completely replace UEFI w/o any signatures ? You addressed the right crowd. Coreboot.
> And what about ME ? I've read that the cpu itself verifies the > signature of ME firmware, so we cant completely replace it. As I said/wrote, previously. And Igor confirms my thoughts: IgorS>> Yes, unless your PC uses Boot Guard (so far it's been only enabled in IgorS>> a small percentage of enterprise laptops because it ties together CPU and PCH - IgorS>> you can't replace one without having to replace the other). Without IgorS>> Boot Guard active, the CPU will execute whatever you place in the flash, and it's IgorS>> up to you whether to implement signing checks or not. Thank you, Igor, for chime-in/participating! :-) Zoran _______ On Thu, Nov 30, 2017 at 6:54 PM, Enrico Weigelt, metux IT consult < i...@metux.net> wrote: > On 30.11.2017 07:40, Zoran Stojsavljevic wrote: > > You can fully use UEFI BIOS without any signatures. With so-called slim >> TXE engine. >> > > Can we completely replace UEFI w/o any signatures ? > > And what about ME ? I've read that the cpu itself verifies the > signature of ME firmware, so we cant completely replace it. > If it would be possible to read out the privkey or burn in another > one, that blockade would be fallen. > > > > --mtx > > -- > Enrico Weigelt, metux IT consult > Free software and Linux embedded engineering > i...@metux.net -- +49-151-27565287 >
-- coreboot mailing list: coreboot@coreboot.org https://mail.coreboot.org/mailman/listinfo/coreboot