Matthew Garrett

My question is the same -- Matthew, are you saying that if I disable Secure Boot, boot my operating system of choice, and then try to use flashrom (http://flashrom.org) that I'll be out of luck, I won't be allowed to re-flash firmware on Windows 8 certified hardware?

How is this done? Does the boot firmware send some kind of signal to the flash chip to lock itself until the next reboot?

It would be better if operating systems (such as Windows and Fedora) were responsible for deciding that it is lockout time on the flash chip. This would allow a user supplied operating system booted to decide what should be done.

I'm hoping you'll reply and say I've got it wrong -- that we'll be in a world where you can't flash an arbitrary firmware when running a Secure Boot version of Windows or Fedora, that those systems will be the ones checking signatures before allowing flashing. Thus the freedom to switch to coreboot will still there for those who boot a different operating system.

Underlying assumption here: that the signature checking on new firmware is being done by either the boot firmware itself (with lockout to follow) or by operating systems (in which case we can run an operating system that doesn't do so) -- there's no weird crypto hardware like TPM being tied up in the Windows 8 certification requirements.