8 Mar
2023
8 Mar
'23
18:20
Oliver Neukum wrote:
The whole point of SecureBoot is that unsigned stuff is untrusted to get unfiltered access to HW, let alone direct access. That in turn does mean that you cannot let unsigned stuff, which includes all of user space, define what parts of the HW are "harmless" No. The point of Secure Boot is not to protect kernel space from user space. It is to prevent an unapproved EFI binary from ANY sort of access to ANYTHING.
I can cryptographically sign TempleOS and be sure that once i turn on the computer, it has not been tampered with. But once the system is booted, i'm already on the other side of the airtight hatchway and should be free to shit over all the MSRs you can imagine (because TempleOS has no memory protection).