Опубликован Canoeboot, вариант дистрибутива Libreboot, отвечающий требованиям Фонда СПО
Сообщение от Аноним (-), 01-Ноя-23, 11:49 
> Using a custom microcontroller with read-only ROM in place of the BIOS
> flash chip could potentially provide some extra protection against bootkit attacks
> for an open source BIOS like Libreboot:

I'll prefer to have upgrade path to be able to fix Libreboot, "just in case". Difference is: its me who would dub as "machine owner" and everyone else would be locked out.

>     Since the Libreboot BIOS code is in masked
> ROM, it cannot be overwritten by malware trying to infect the BIOS.

Don't have to be masked ROM: if MCU FW refuses to cooperate, bios upgrade going to fail. Firmware could only agree update on e.g. proof of physical presence. Or some special actions like e.g. specialized key exchange or "master password" auth.

>     Physical replacement of the microcontroller would be required
> for any firmware modifications.

That's how or why secure boot concept appeared...

> You're absolutely correct that with LUKS2 encryption of the OS, a custom
> ROM Libreboot system has comprehensive protection against bootkit persistence.

... rest of stuff about LUKS are "implementation details". In the end trusted firmware can check its next parts, its only one of possible ways.

