Firstly, the ME section is locked until a message is sent to the EC. Flashing firmware on a live system can be dangerous, more so on a laptop. Our flashing method has to take place in EFI.
Signing keys are fused into the CPU for boot guard when the CPU is attached to the motherboard during production, for soldered CPUs like the U and H class. Having a customer signing key would seriously complicate BIOS updates, as only one key can be utilized, meaning our firmware updates would not work.
It would also make returns much more difficult, as all CPUs with customer keys would have to be replaced.
Right now, boot guard is only used on the Galago and Lemur.
There's no way to use TPM as a store for these signing keys because they are needed too early in the process?
Yes, I expect as a general solution for your customers it might be overkill, but as this is basically the cutting edge of public domain research on these topics it would nice to know what's possible for customers who would take the risks.
Understood, I have more reading to do in to how the EFI shim/flasher works.
Signing keys are fused into the CPU for boot guard when the CPU is attached to the motherboard during production, for soldered CPUs like the U and H class. Having a customer signing key would seriously complicate BIOS updates, as only one key can be utilized, meaning our firmware updates would not work.
It would also make returns much more difficult, as all CPUs with customer keys would have to be replaced.
Right now, boot guard is only used on the Galago and Lemur.