> You have a fair chance of protecting via physical means (Locked rooms, > Background checks on users etc.) of preventing a user with malicious intent > to access the local machine. So called "secure boot" doesn't deal with any kind of physical access, which also means its useless if a device is lost and returned and you don't know if it was in the hands of a third party. > The first thing a computer does when switched on is run its first code > instructions. Commonly referred to as the BIOS. A good deal more complicated than that. However the signing in hardware and early boot up on a lot of devices already goes as far as the BIOS if the system has BIOS or EFI if it doesn't. You also have all the devices to deal with. > Normally digital signatures would examine the binary, ensure the signature > matches, and then run the code contained in it. No - it's a good deal more complicated than that too. -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
