public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
* Show platform-key fingerprint when secure boot is enabled
@ 2022-10-06 19:37 Simon Brand
  0 siblings, 0 replies; only message in thread
From: Simon Brand @ 2022-10-06 19:37 UTC (permalink / raw)
  To: devel

Hello,

when secure boot is enabled and a custom platform-key is used, please
show the fingerprint of the platform-key in the UEFI interface and on
the POST screen.
This way a user can really verify, that only their signed EFI executables
gets booted/executed. (And nobody tampered the device keys/disk)
For the POST screen, it would be nice to pause execution with a specfic
key so people have time to verify the hash.

Android smartphones have this feature for several years [0], but I am not
talking about a big yellow warning, just the hash as a information.
Please keep in mind, that the screenshots are not fully up-to-date, devices
show not only the first 8 digits, but the full root of trust hash since a
few months. [1]
The reference source code is available here: [2]

Best and thanks,
Simon

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2022-10-06 19:37 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-10-06 19:37 Show platform-key fingerprint when secure boot is enabled Simon Brand

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox