Show platform-key fingerprint when secure boot is enabled


Simon Brand <simon.brand@...>
 

Hello,

when secure boot is enabled and a custom platform-key is used, please
show the fingerprint of the platform-key in the UEFI interface and on
the POST screen.
This way a user can really verify, that only their signed EFI executables
gets booted/executed. (And nobody tampered the device keys/disk)
For the POST screen, it would be nice to pause execution with a specfic
key so people have time to verify the hash.

Android smartphones have this feature for several years [0], but I am not
talking about a big yellow warning, just the hash as a information.
Please keep in mind, that the screenshots are not fully up-to-date, devices
show not only the first 8 digits, but the full root of trust hash since a
few months. [1]
The reference source code is available here: [2]

Best and thanks,
Simon