지지 ᚠᚱᛖᛃᚨ Daniel 黄法官 CyReVolt

What if #firmware gave you an interface to manage access tokens, just like OAuth?

For the owner, have some password/PIN/key (think WebAuthn or similar) mechanism.

There be an authenticated (!) API for the OS to provision/reconfigure.

On first boot, possibly offer a TOFU based scheme; i.e., the OS gets an initial token, and the end user can export it, use it to set a different trust anchor, have the OS signed and store its keys, etc..

It's really not easy, but definitely possible, right?

Apr 8 at 9:43amWeb
Show thread지지 ᚠᚱᛖᛃᚨ Daniel 黄法官 CyReVolt2d ago

cross ref for discussion/notes

https://github.com/platform-system-interface/psi-spec/issues/45

ownership and security · Issue #45 · platform-system-interface/psi-spec

Create an interface to manage access tokens, just like OAuth. For the owner, have some password/PIN/key (think WebAuthn or similar) mechanism. There be an authenticated (!) API for the OS to provis...

GitHub
Show threadRaito Bezarius2d ago
@CyReVolt modern BIOS already offers a certificate based authentication mechanism fwiw
Show thread지지 ᚠᚱᛖᛃᚨ Daniel 黄法官 CyReVolt2d ago
@raito Does it offer taking *full* (not late, like UEFI!) platform ownership transfer? That is what I'm after.
Show thread지지 ᚠᚱᛖᛃᚨ Daniel 黄法官 CyReVolt2d ago
@raito I do not want to have third party PKI based stuff. I want to have verified boot from the very start, and an interface to provision my own keys for my own signed firmware.
Show threadRaito Bezarius2d ago
@CyReVolt indeed, no
Show threadFranzT2d ago
@CyReVolt Das kommt langsam, aber warscheinlich zusammen mit Firmware signierung. Also ohne möglichkeit für custom Firmwares. Mir währe unsicher lieber. Und wie ist der umgang mit allen, die den initialen sicherheitstoken verloren haben?
Show thread지지 ᚠᚱᛖᛃᚨ Daniel 黄法官 CyReVolt2d ago

@franzt Reset-Button/-Jumper wie bei den jetzigen Password Resets per Jumper. Dann wieder TOFU.

Ich will ja, dass meine Firmware signiert ist und mir einen Mechanismus bietet, neue Keys dafür zu provisionieren, so dass ich selbst signierte Firmware ausrollen kann.

Show threadhaui ☭ 🇵🇸2d ago
@CyReVolt
Schlau! Also wenn jemand den jumper betätigt sind logischerweise die entschlüsselungskeys weg und alte daten nur noch vom besitzer eines evtl backups lesbar. Klingt gut!
@franzt