On Wed, Nov 30, 2016 at 09:01:10PM -0500, Jean-Philippe Ouellet wrote: > On Wed, Nov 30, 2016 at 5:25 PM, Trammell Hudson <[email protected]> wrote: > > It works for Skylake without Bootguard, such as the Chell Chromebook. > > I haven't tested on other systems. > > Does "without bootguard" mean "without bootguard enabled" or "without > bootguard feature present"?
To the best of my knowledge, all Skylake CPUs have bootguard support, but not all OEMs set the ME fuse bits for a bootguard profile before exiting ME manufacturing mode. There five defined profiles in the fitc tool, shown in this screenshot: https://twitter.com/qrs/status/786697104488030210 The T450 and T550 Thinkpads that I've looked at use profile 4, which forces the bootguard ACM to run and refuses to start if the hashes/signature do not match. This Verified Boot mode is the one that is hostile to user freedom since it prevents coreboot from being installed. Ideally OEMs would use FME, which would force the signed ACM to run, measure the bootblock and protect the BIOS environment (by copying the bootblock into the i-cache). While the ACM is provided by Intel and not open source, it is at least auditable and can be included in the measurements of the state. I haven't seen any systems that use this Measured Boot mode. The Chell Chromebook has profile 0, which does not force the ACM nor does it measure the boot. This is good for user freedom, not great for the platform security. -- Trammell -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20161201034308.GW12784%40chishio.swcp.com. For more options, visit https://groups.google.com/d/optout.
