The future of firmware verification in coreboot


In this lightning talk I will present a draft proposal for new firmware verification infrastructure in coreboot that has been circulating between Google and Intel. Unlike the existing all-or-nothing one-shot verification, this proposal will hash each CBFS file individually and verify them at time of use. It also contains a plan to move the root of trust into the bootblock and verify every stage from there on out, so that we can tie it to an SoC hardware verification scheme like BootGuard.