Open macpijan opened 1 year ago
There are a few problems here:
@miczyg1 point 2 is not a problem, it is very small challenge. What vboot use locally to sign? What key format is support? I would say almost any USB token could be used like HSM.
it uses the key file stored on the filesystem under configured path in coreboot configuration or directory with keys passed to the signing script. Secondly these keys use a different format, vboot utilities seem to wrap the RSA keys around their own structure.
The problem you're addressing (if any)
vboot keys are stored as plaintext files
Describe the solution you'd like
vboot keys are stored in HSM (Hardware Security Module)
Where is the value to a user, and who might that user be?
keys are better protected and can be shared more securely
Describe alternatives you've considered
Additional context