In reading the WPBT document from MS I think I see another problem; namely that the WPBT table can contain a 'command line' which is not signed (only checksum of table). So on the assumption that you can insert the table into ACPI list that the BIOS present to OS (maybe with a flashed PCI perpheral), you could use a 'borrowed' signed app and control it with the command line. I'd be interested in analysing the WPBT table or Lenovo's autochk/wpbbin exes. Simon.
