From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail.postadigitale.org (mail.postadigitale.org [144.76.163.238]) by mx.groups.io with SMTP id smtpd.web08.1952.1665085043501388607 for ; Thu, 06 Oct 2022 12:37:24 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@postadigitale.de header.s=20180517 header.b=mmLacOf1; spf=pass (domain: postadigitale.de, ip: 144.76.163.238, mailfrom: simon.brand@postadigitale.de) Received: from hostpad (p200300E4eF14Bb00Cd44aE579e46a63E.dip0.t-ipconnect.de [IPv6:2003:e4:ef14:bb00:cd44:ae57:9e46:a63e]) by mail.postadigitale.org (Postfix) with ESMTPSA id AB26D19E80 for ; Thu, 6 Oct 2022 21:37:20 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=postadigitale.de; s=20180517; t=1665085040; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=Ib9FYyikDRQW+voanFo85XwEU/shCe/RQPIuQnlzVyY=; b=mmLacOf1oGVfeKJhsdVMdFYu56GiTScDAAAB+P+U1yMNIiNJEPB4B4o8pwfOAnKYPsAyp1 0KtEYwSSJGaskMZ0ujJL1KxzyxD/vMg4HY6+3fQGQkrot+Gss0gyaMzR0Stkn03daoKVRG pOOP57M/vsT6U54inr875Z5vWNE4Nlk= Date: Thu, 6 Oct 2022 19:37:18 +0000 From: "Simon Brand" To: devel@edk2.groups.io Subject: Show platform-key fingerprint when secure boot is enabled Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hello, when secure boot is enabled and a custom platform-key is used, please show the fingerprint of the platform-key in the UEFI interface and on the POST screen. This way a user can really verify, that only their signed EFI executables gets booted/executed. (And nobody tampered the device keys/disk) For the POST screen, it would be nice to pause execution with a specfic key so people have time to verify the hash. Android smartphones have this feature for several years [0], but I am not talking about a big yellow warning, just the hash as a information. Please keep in mind, that the screenshots are not fully up-to-date, devices show not only the first 8 digits, but the full root of trust hash since a few months. [1] The reference source code is available here: [2] Best and thanks, Simon