UEFI bootkit

Thu Sep 20 12:24:13 UTC 2012

On 2012/09/20 04:45, Matthew Miller wrote:
> On Thu, Sep 20, 2012 at 04:29:47AM -0700, jdow wrote:
>> That is why I like my unique to the machine key that is supplied to the
>> user along with the board serial number. So he can make changes. But the
>> changes for his system cannot affect other systems. That would make
>> custom signed Linux kernels possible for a person testing kernel builds
>> or compiling in obscure filesystems, such as I do from time to time.
>
> You will be able to do this -- at least, on x86. Some lobbying on the ARM
> front is needed.
>
> It won't be a key that's supplied to the user, though. The user will be able
> to add their own.

As long as the key is unique to one single machine the idea is sound
except for the "user too stupid to live" cases.

{^_^}