Matthew Garrett

It is possible to replace the keys in the Chromebook firmware and there is a script provided in Chrome OS that will do it at /usr/share/vboot/bin/make_dev_firmware.sh as well as more scripts in the verified boot source repository that will assist with generating new keys and signing kernel images.

The major inconvenience here is that the keys live in a read-only firmware region so you need to defeat the write protection first which involves opening the case. Of course devices are all slightly different in how they implement write protection -- some require removing a screw and others use a jumper -- and the specifics for each board are not documented well enough yet but that is something we can and will fix Real Soon Now.

Supporting a user-provided key in developer mode that would only boot user-signed kernels is something we hope to do for future devices, but it has not happened yet. It is certainly fair to complain that the process is rather painful right now.

It is also worth mentioning that the entire firmware stack is as open as possible so if someone is not satisfied with what is provided they can build their own. This is obviously only useful to a really small/brave set of people and, just as with replacing the keys, it means you will no longer be able to boot official Chrome OS images unless you were smart enough to back up the firmware first.

--Duncan Laurie