> So for "everyone can fiddle with the bits", that would require to run a modified bootloader first. Which should not be possible thanks to secure boot.
Can't the bootloader be signed with MOK (machine owner key ?) that may allow this to work ? (Phys access required, no doubt)
Alternatively if the bootloader doesn't load microcode, just prevent the OS from loading microcode and the system will be in the attackable state ?
Can't the bootloader be signed with MOK (machine owner key ?) that may allow this to work ? (Phys access required, no doubt)
Alternatively if the bootloader doesn't load microcode, just prevent the OS from loading microcode and the system will be in the attackable state ?