Hi Tobias, Tobias Wegner wrote: > 'badusb' > One of our main security targets is to stop boot sector attacks.
Then use a payload which ignores MBR, such as FILO, Linux or GRUB. Almost anything except SeaBIOS. Given your focus on USB, a Linux payload with custom initramfs is especially interesting. Then you can do this as part of the boot process: for bus in /sys/bus/usb/devices/usb*; do echo 0 > $bus/authorized_default; done And of course use standard utilities both to interact with TPM if you like, and to check signatures of follow-up code executed after the initramfs. //Peter -- coreboot mailing list: [email protected] https://www.coreboot.org/mailman/listinfo/coreboot
