OliverO2
commented
4 years ago See here for an easy-to-use secure boot PBA implementation based on sedutil using Grub 2: https://github.com/Drive-Trust-Alliance/sedutil/issues/301#issuecomment-555552669
Open oom-is opened 4 years ago
OliverO2
commented
4 years ago See here for an easy-to-use secure boot PBA implementation based on sedutil using Grub 2: https://github.com/Drive-Trust-Alliance/sedutil/issues/301#issuecomment-555552669
There are several ways to support Secure Boot; one path would be to switch to GRUB2 for the PBA bootloader but that potentially opens up additional "hard to explain/perceived" attack surface and would increase the size/complexity of the PBA image.
What's the best way to support Secure Boot with minimal changes? (See DTA #181 and DTA #301 for previous discussion.) A signed PBA image which could have appropriate keys/certs/trust anchors added to a v2.0 TPM seems the least painful - see DTA #259 for details on that approach.