지지 ᚠᚱᛖᛃᚨ Daniel 黄法官 CyReVolt2d ago

What if #firmware gave you an interface to manage access tokens, just like OAuth?

For the owner, have some password/PIN/key (think WebAuthn or similar) mechanism.

There be an authenticated (!) API for the OS to provision/reconfigure.

On first boot, possibly offer a TOFU based scheme; i.e., the OS gets an initial token, and the end user can export it, use it to set a different trust anchor, have the OS signed and store its keys, etc..

It's really not easy, but definitely possible, right?

Show threadRaito Bezarius2d ago
@CyReVolt modern BIOS already offers a certificate based authentication mechanism fwiw
Show thread지지 ᚠᚱᛖᛃᚨ Daniel 黄法官 CyReVolt2d ago
@raito Does it offer taking *full* (not late, like UEFI!) platform ownership transfer? That is what I'm after.
Show thread지지 ᚠᚱᛖᛃᚨ Daniel 黄法官 CyReVolt
@raito I do not want to have third party PKI based stuff. I want to have verified boot from the very start, and an interface to provision my own keys for my own signed firmware.
Apr 8 at 10:46amWeb