alt Hacker NewsIntel N150 is the first consumer Atom [1] CPU (in 15 years!) to include TXT/DRTM for measured system launch with owner-managed keys. At every system boot, this can confirm that immutable components (anything from BIOS+config to the kernel to immutable partitions) have the expected binary hash/tree.
TXT/DRTM can enable AEM (Anti Evil Maid) with Qubes, SystemGuard with Windows IoT and hopefully future support from other operating systems. It would be a valuable feature addition to Proxmox, FreeNAS and OPNsense.
Some (many?) N150 devices from Topton (China) ship without Bootguard fused, which _may_ enable coreboot to be ported to those platforms. Hopefully ODROID (Korea) will ship N150 devices. Then we could have fanless N150 devices with coreboot and DRTM for less-insecure [2] routers and storage.
[1] Gracemont (E-core): https://chipsandcheese.com/p/gracemont-revenge-of-the-atom-c... | https://youtu.be/agUwkj1qTCs (Intel Austin architect, 2021)
[2] "Xfinity using WiFi signals in your house to detect motion", 400 comments, https://news.ycombinator.com/item?id=44426726#44427986
Replies
Where are you seeing devices without Bootguard fused? I'd be very curious to get my hands on some of those...
With some currently still a bit of hands-on approach you can set up measured boot that can measure everything from the BIOS (settings) through the kernel, the initrd, and also kernel command line parameters.
I currently do not have time for a clear how to, but some relevant references would be:
https://www.freedesktop.org/software/systemd/man/latest/syst...
https://www.krose.org/~krose/measured_boot
Integrating this better into Proxmox projects is definitively something I'd like to see sooner or later.