Garrett: Producing a trustworthy x86-based Linux appliance
Matthew Garrett has written up the long,complex series of steps required to build an x86 device that only bootscode that the creator wants to run there. "At this point everythingin the boot process is cryptographically verified, and so should bedifficult to tamper with. Unfortunately this isn't really sufficient - onx86 systems there's typically no verification of the integrity of thesecure boot database. An attacker with physical access to the system couldattach a programmer directly to the firmware flash and rewrite the secureboot database to include keys they control. They could then replace theboot image with one that they've signed, and the machine would happily bootcode that the attacker controlled. We need to be able to demonstrate thatthe system booted using the correct secure boot keys, and the only way wecan do that is to use the TPM."