• uis@lemm.ee
      link
      fedilink
      arrow-up
      0
      ·
      6 months ago

      Well, yes. By refusing to boot. It can’t do anything if motherboard is replaced.

          • 9tr6gyp3@lemmy.world
            link
            fedilink
            arrow-up
            0
            ·
            6 months ago

            If the hardware signatures don’t match, it wont boot without giving a warning. If the TPM/Secure Enclave is replaced/removed/modified, it will not boot without giving a warning.

            • uis@lemm.ee
              link
              fedilink
              arrow-up
              0
              ·
              edit-2
              6 months ago

              If the hardware signatures don’t match

              Compromised hardware will say it is same hardware

              If the TPM/Secure Enclave is replaced/removed/modified, it will not boot without giving a warning.

              Compromised hardware controls execution of software. Warning is done in software. Conpromised hardware won’t let it happen.

                • uis@lemm.ee
                  link
                  fedilink
                  arrow-up
                  0
                  ·
                  6 months ago

                  Compromised hardware can’t create new signatures, but it doesn’t matter because it controls execution of software and can skip any checks.

                  • 9tr6gyp3@lemmy.world
                    link
                    fedilink
                    arrow-up
                    0
                    ·
                    6 months ago

                    If the hardware is tampered, it will not pass the attestation test, which is an online component. It will fail immediately and you will be alerted. Thats the part of verified boot that makes this so much harder for adversaries. They would have to compromise both systems. The attestation system is going to be heavily guarded.