heads-wiki icon indicating copy to clipboard operation
heads-wiki copied to clipboard
verified publisher icon linuxboot

Review Bootguard section stating only librems come with unfused keys, refer to vendors page, refer to leaked MSI bootguard private key

Open tlaurion opened this issue 11 months ago • 3 comments

From https://osresearch.net/Keys/#management-engine-and-bootguard-acm-fuses :

The x230 Thinkpads do not support bootguard and only the Librem laptops ship with unfused keys.

This is not true anymore and for a little while with NovaCustom buying Clevo in bulk with unfused bootguard, see reviewed https://osresearch.net/Vendors/

tlaurion avatar Jan 30 '25 14:01 tlaurion

Also point to this community effort https://github.com/felixsinger/bootguard-status

tlaurion avatar Jan 30 '25 15:01 tlaurion

This key is stored in the on-die ROM of the ME and the ME will not start up if this signature does not match. An attacker who controls this key (highly unlikely) can subvert the Bootguard checks and the measured boot process.

Not unlikely, refer to MSI bootguard key leak

tlaurion avatar Jan 30 '25 15:01 tlaurion

This key is stored in the on-die ROM of the ME and the ME will not start up if this signature does not match. An attacker who controls this key (highly unlikely) can subvert the Bootguard checks and the measured boot process.

Not unlikely, refer to MSI bootguard key leak

https://sizeof.cat/post/leak-intel-private-keys-msi-firmware/

tlaurion avatar Jan 30 '25 15:01 tlaurion