>> The hard part is initializing the hardware without the use of the >> original BIOS - the specifics of initializing various chips are not >> public, and probably depend on companion hardware and/or trace length >> on the particular board as well. >It's not actually needed. If one can nop tpm code in bios then he can >boot from anything and read tpm keys. You don't need to understand the >whole bios to do it. Of course it's obfuscated but obfuscation isn't a >security in any way. Also if you write completely different code to >flash bios you don't need to be able to initialise the whole hardware >all you need is being able to read tpm and write to serial port. Then >you can simply read the key at your serial console. Actually bios isn't >protected. It's just obfuscated. It won't work. BIOS itself is checksummed by the TPM. And TPM by design gains control even _before_ BIOS.
_______________________________________________ Grub-devel mailing list Grub-devel@gnu.org http://lists.gnu.org/mailman/listinfo/grub-devel
