> Are there any downsides though? For example, would resume from > hibernation still work for such a setup?
It should work with hibernation without any problems, but i did not test this extensively. > > More so, for the less knowledgeable of us, how does this relate to > UEFI's "Secure Boot"? I can only hope OpenBSD will support it some > day, at least for amd64. Debian has implemented it for the last major > release, Debian 10. Secure Boot as defined by the UEFI specification works with cryptographic signatures instead of just measuring. Meaning there is also a Chain in which every component has to verify the Signature of the next one. The downside of this approach is, that in order to verify any signature, you need some keys that you trust. If your name is Microsoft, than you can get every vendor to include your keys inside the firmware and your bootloader can be verified. This is obviously very convenient for the user. If you are not Microsoft and your signature key is not included in the firmware, than users have to sign the boot components manually and add their keys to the firmware. To sum it up. I think that SecureBoot was the right choice for Microsoft but for FOSS the TPM approach is less hassle for the user. Also measuring can not only be done for the executable itself, but also for the data it uses. That way buffer overflow attacks can also be detected. The signature based approach can not do that. In the next few days i will write a email to misc containing a small manual and all the source code. Best Regards Julius