Julius Werner is a firmware developer for Google's Chrome OS and has been responsible for the firmware of most Arm-based Chromebooks. He also acts as maintainer of the arm and arm64 architectures and several related SoCs for the coreboot project.
In this lightning talk I will present a draft proposal for new firmware verification infrastructure in coreboot that has been circulating between Google and Intel. Unlike the existing all-or-nothing one-shot verification, this proposal will hash each CBFS file individually and verify them at time of use. It also contains a plan to move the root of trust into the bootblock and verify every stage from there on out, so that we can tie it to an SoC hardware verification scheme like BootGuard.