undefined | Better HN

0 pointsmjg599mo ago0 comments

> Secure boot requires that the bootloader match a hash derived from a TPM-stored key.

This isn't even slightly accurate. Secure boot does not rely on TPM keys on any way.

0 comments

Huh, I don't know why I thought it did. Looking into the link below briefly I see it uses a PKI scheme with CAs.

https://learn.microsoft.com/en-us/windows-hardware/manufactu...

So I guess if you provide a key for the bootloader, the firmware will sign it when it's in setup mode? I guess that private key is embedded directly in the firmware then? I presume that's made invisible once control is handed to the bootloader somehow ...

mjg59OP9mo ago

No, the firmware never has any private keys. You sign offline with a private key and provide the public key to the firmware. All further bootloader updates are signed with the same key and require no additional firmware configuration.

j / k navigate · click thread line to collapse