On Mon, Feb 17, 2020 at 11:13:27AM +0100, Julius Zint wrote:
I recently finished my masterthesis that solves this problem by including
the Trusted Platform Module (TPM) in the bootprocess of OpenBSD.
It extends the Chain of Trust up to boot(8) and allows you to seal a
secret of your choice to the platform state.
To check wether the unencrypted bootcomponents got tampered with, you
can unseal and verify the secret to ensure that the contents of the
MBR, PBR and boot(8) are unchanged.
it is not exactly the solution you were looking for but it should solves
the problem that you describe. Does this sound like something you were
willing to try and does your machine have a TPM 1.2 Chip?
That sounds absolutely fascinating. Are you familiar with the Heads
firmware? How is your approach different?
I'm not really in a position to reflash my machine but I would still be
curious for details.